Frequently Asked Questions

NOTE:To search this FAQ by keyword, press CONTROL and F simultaneously.
The Windows FIND box will appear. Type in the keyword, and click FIND NEXT until you
find the topic that addresses your question.
Individual FAQ items are numbered for reference, beginning here.
(C) Flicks 2010

I have
the MMC/IIS Properties/Home-Directory
application protection
set to Medium, or High (IIS5 and above) or
NOT "running in its own application space" (IIS4 and above).
Then strange things happen with remote administration. I cannot see
who is currently logged in as I should be able to.
Sometimes the remote administration tool clears the configuration.
and
I have to restore the adb file.

I'm using IIS6 and I get
"An attempt was made to load the filter but it requires the
SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not
supported in
Worker Process Isolation Mode."

I get into the the protected area, but it keeps re-prompting me
with multiple prompts for a username and password.

"I've installed the Red Worm patch.
My IIS system restarts every 15 minutes
(OR every 30 minutes OR every hour OR once per day).
In the event log I see a message about AuthentiX starting up"

The software keeps prompting me (three times or more!)
on the page in the protected directory.
It is a terrific page, it's got stylesheets, framesets,
a whole bunch of
cool gifs, all the latest stuff and more.
Why am I having problems?

I have been able to protect
Real streaming files
with WebQuota
by saving them as .rm files .... but my visitors receive
a double prompt for a username and password
the first time they log in. How can I fix this?

I notice that once I have entered a username and password
to access a directory, I don't have to enter it again.
Because several people share each computer/browser that access the
directory,
how do I turn this caching off?

I have multiple protected directories and each are subdirectories of each other, ie
/paid/, /paid/b/, /paid/c/, /paid/c/d/, etc.
They are all separately protected by the same group.
When a browser goes straight first to /paid/c/ he is prompted once.
Then when going to /paid/b/ he is prompted again for the same username/password!
I want him prompted only once!

I am using files that are played with Windows Media Player.
When they are protected with AuthentiX and Basic Authentication,
Windows Media Player
cannot access them when using IE, although Netscape works fine.
(mpg, mpeg).

I am using files that are played with Real Video and Real Player
When they are protected with AuthentiX and Basic Authentication,
Real Player
cannot access them!

I want to have several different directories, each with different levels
of access (corresponding to an AuthentiX Group),
but I only want users to login once, then be redirected to the appropriate directory
based on their group. How can I do this?
I don't want to put 3 buttons from a free area
because everyone will see the different access levels.

I am using AuthentiX ISP and the aspAdminISP asp web pages for remote administration,
and I am getting -14 users, and other strange results.
In the Administrator Settings, it tells me "This domain has a
bad password (status: 2). See your ISP Administrator".

I am using AuthentiX ISP and the OCX module
and I am getting error 102, and other strange results.

I just used AuthentiX to protect a directory that I've been working on, and I was
shocked to find that after it prompted me for a username and password,
I could click the browser's "forward" button, then the "back" button and lo!
the protected page appears! Is this a security hole?

I am using referral (referer) protection
however, with MPEGS, WMV's and pdf's it does not work - users are denied access,
and with printing CSS I have the same problem.

I'm using one of your advanced authentication methods
(eg ODBC-Advanced, or By COM) in conjunction with
site-wide cookies.
How do
I decode the password supplied
by AuthentiX to the advanced method
so I can compare it with the password value in my data store?

I notice that other ISAPI filters with high priorities run first, before
AuthentiX.
I want to run AuthentiX / WebQuota as a high priority filter.
How do I do this?

I'm running IIS6, and after I install the software nothing works!
You pop up a dialog box saying IIS needs at least one request
to activate, but I can't make any requests at all. IIS6 just hangs.
What shall I do?

I am trying to install but I am getting the message:
"The image file is valid but is for another machine."
I understand that this is because it is a 64bit Windows machine.
How do I install on 64 bit Windows?

I've got thousands of files, each of which I want to have different permissions.
Customers can buy access to any number of these individual files, and this information
is stored in an ODBC database. Do I have to individually protect each file with
a different SELECT statement, or
is there an alternative.

Is there a way to check for the script_name, the file requested, in the
custom select statement? I can't seem to get it to work?

I've tried everything. The Test button works fine, I've set all the optional
switches, its a system DSN, I have permission to access the database from
IIS, I've read and tried everything else in the FAQ -
I'm pulling my hair out, MARIO - help me!

With Cookie based protection, I am trying to get
the cookies to be persistent, but they always seem to expire with the session.
I don't want the user to log in each time they come to the site.
How do I make the cookies persistent?

I am using "site-wide" cookie-login, but the
if the the directory just below the root directory changes case,
(for example with a link which goes to the same directory, but with upper-case instead
of lower case letters in the URL),
then the user is logged out!

OCX/Remote Admin

I have
the MMC/IIS Properties/Home-Directory
application protection
set to Medium, or High (IIS5 and above) or NOT "running in its own application space" (IIS4 and above).
Then strange things happen with remote administration. I cannot see
who is currently logged in as I should be able to.
Sometimes the remote administration tool clears the configuration.
and
I have to restore the adb file.

I get the message:
"There is a problem (DomainEnabled returned 5). Unable to write to the
configuration file. Ask your ISP Administrator to grant read and write
permission to the AuthentiX ISP configuration data directory. Check the
Application Event Log for details. "
What do I do about this?

I am using AuthentiX/WebQuota ISP, however I cannot get into
any of my websites when AuthentiX is installed.
I turned on the Option to "Show reason in Access Denied message",
and I get
DENIED_INVALID_3b

I am concerned about encryption/encoding. Does AuthentiX encrypt passwords with
Basic Authentication? How about with cookie-based AuthentiX authentication?

How do I get the user's name and
password from within a C++ ISAPI DLL?

I am trying to use
server.MapPath
on an AuthentiX protected directory but I cannot get it to work!

VideoQuota

I cannot access any WMS files!
I am getting an NSUnicast Error in the application event log,
with the message "The Windows Media Unicast Service Plugins encountered a catastrophic failure."
in plugin:
"VQTrack
ErrorCode=0x80040154."

Remember to turn off "Enable Fast Cache".
Caching can disable Basic Authentication, because it necessarily bypasses the usual processing channels.

I am running WMS and IIS on the same machine,
they seem to conflict!. IIS doesn't work!
You must set Windows Media component services to be dependent on the Web service so that
the Web service can bind to port 80. If you do not set this dependency, then Windows Media server components might bind
to port 80 first, and the Web server will not function properly. These steps are specific to using Windows Media
Services with IIS 4.0 or later. If you use Windows Media Services with a different Web server, check the documentation
for that server for instructions on setting dependencies.

A.
If you are running the software for the first time, here are the steps
you need to take to protect a directory using the internal Database:

First make sure you can access the directory you wish to protect freely (via http://...),
without any IIS/NTFS protections.
Use Netscape for this, since IE will sometimes
log you in with your current login without telling you.
Make sure the directories
you are trying to access have Read (and execute) Permissions for Everyone with NTFS.
Make sure Basic Authentication is
turned OFF in IIS5 (and above) Management console,
otherwise it will conflict with AuthentiX Basic Authentication.
Make sure
Allow Anonymous is ON. NTCR can be ON or OFF.

Create a user. From the main dialog, click the
Users button, Then Add. Type a username and password and
press OK.
You should now see the user in the user list.
Press OK.

Create a group. From the main dialog, click the
Groups button, Then Add. Type a groupname and then click on
the user you just created in the non-members list box. It should
be highlighted. Now click Add. The user should now be moved
to the Members listbox.
Press OK.
You should now see the group in the group list.
Press OK.

Protect a directory. From the main dialog, click the
Access button, Then Add. Use the Browse button to select a
directory that is part of your web directories, and that you
would like to protect. Click on the "By Internal DB" tab,
then the "By Group" button and add the group
you added above to the Permitted list.
Press OK.
You should now see that the group is protecting that directory.
Press OK.
Press OK.

Use a browser to go to the URL that the directory is accessed from,
using IIS5 (and above), via http. It should prompt you for your username and password.

Type the username and
password you entered above to gain access.

NB: To change the Access Denied message, click the "Basic/Cookie" tab, and click the Messages button.

A.
If you are running the software for the first time, here are the steps
you need to take to protect a directory using an ODBC datasource:
First make sure you can access the directory you wish to protect freely (via http://...),
without any IIS/NTFS protections. Use Netscape for this, since IE will sometimes
log you in with your current login without telling you.
Make sure Basic Authentication is
turned OFF in IIS Management console,
otherwise it will conflict with AuthentiX Basic Authentication. Make sure
Allow Anonymous is ON. NTCR (Integrated Windows Authentication in Windows 2000) can be ON or OFF.

Note: You can administer and setup ODBC via a webbrowser
using the remote administration. However you need to know
the structure of the database, and the exact form of the Connect String for the System DSN.
Selecting the Connect String from the console is conveniently easy and
straightforward.
Set up the DSN from the console, or have your ISP do it for you.

A.
You can use the following tip:
Hi,
Downloaded your software and it looks great. I will be
purchasing it today. By the way, I typed in the full
pathname of a filename into the Browse edit box in
the Authorization dialog - and guess what - it
protects just that file!
--Jon

Thanks Jon! The software adds a slash to the end of the filename,
aside from that it works just like you say!

Q.
I have
the MMC/IIS5 (and above) Properties/Home-Directory
application protection
set to Medium, or High (IIS5 and above) or NOT "running in its own application space" (IIS4).
Then strange things happen with remote administration. I cannot see
who is currently logged in as I should be able to.
Sometimes the remote administration tool clears the configuration.
and
I have to restore the adb file.

A.
Go to MMC/IIS and right click on the website and select Properties. In the
Home
Directory tab, make sure the Application protection level is set to Low (IIS Process).
You should be able to set this value on the aspAdmin directory itself.

Because the software is implemented as an ISAPI filter,
ASP programs accessing the AuthentiX OCX module need access to the datastructures
in the IIS process itself. If application protection is set to one of
the ASP debugging levels (Medium or High), then this access will be unavailable.

Q.
When I have set up protection for a directory, I can get in with Internet Explorer
when it prompts me for the Username and Password.
However when I use Netscape, I type in the Username and Password, then it gives me another
dialog to type in the username/password, this time with no Realm. When I cancel out it says
"Error - access denied".

A.
Looks like the directory is protected with NTFS. IE will use your login name behind your back
(especially if you are on the same machine or local network) to let you in.
Use Netscape Navigator and try to access
the directory without any protection with the software. Free up the permissions on
that directory so that Netscape can get in. Then put the software protection
back. That should fix you up.

A.
You will be pleased to note that Windows 2003's is locked down much more than Window 2000.
You won't be so pleased to learn that this can make it harder to create DSN strings, and harder to successfully
connect to the database.

One user found that everything was working on Windows 2000 but when
moved to W2K3 the AuthentiX filter was not able to gain access to the database, with the following message in the Event Log:

In the second dialog for setting up System DSN, he was using Network Logon for Trusted Connection.
Changing this to using SQL Server Mixed Authentication (SQL2000) with a
matching account in SQL Security, solved the issue.

Adding the NT Authority\network service (s-1-5-20) user
to the admin group may help.

Q.
The test button works fine, but I cannot login. I turned
on "Show Reason in Access Denied Message" and it just says "Bad Password" :-(

A.
Make sure that the DSN you are using is a System DSN. Other DSN's are
not accessible to system processes such as IIS.
Also note that
the "Test ODBC" button may
work properly with non-text or multiple-word fields, but the
web authentication may fail. Make sure you are using text fields and
that the field names do not contain spaces.

The Test ODBC button differs from using the ODBC connection from the filter in the following ways:
1) The Test ODBC executes in the permission context of the logged in user.
So if that user has permissions, all will go well for the Test button.
However the ISAPI filter logs in as the system account,
which usually will not have permission to access resources not on the local machine.
If you need to access a database on another machine, try using the
"Impersonate User when Accessing Database" settings.
2) The statement executed, does not include the where clause for the username. So it only executes
Select password from tablename
and comes back with a count of all users.
As opposed to the ISAPI filter, which will execute
Select password from tablename where username='suppliedUsername',
and will come back with one entry, if there is a match for the username.
Then the filter compares the returned password with the supplied password.

Q.
I just installed MDAC, and now I cannot modify my ODBC database with Access 2000 via
the ASP remote admin pages.

A.
With newer versions of drivers and databases, permissions can become an issue
where there was no issue before.

Make sure you grant Change permissions for IUSR_MachineName (and IWAM_MachineName where appropriate)
,where MachineName is the name of your machine, to the directory containing your database, and everything
within and below that directory, including the database itself.

A.
It is normally best to have the username as a unique key. However,
if you have multiple users with the same name but different passwords,
then you can set a switch in the registry to tell the AuthentiX to
add " AND passwordField='passwordEntered' at the end of the select statement
(standard or custom select).

of type REG_DWORD with the name addPasswordToSelect.
Make its value 1.

Note: the software caches successfully logged in ODBC usernames
and passwords for performance reasons. If a username logs in with
one password and another tries to login with that username using
a different password (while the first is still in the cache), then the
second will not be able to get in, because the
ODBC database will not be queried again.
To turn off this caching,
go to the options dialog/ ODBC options, and set relevant checkbox.
This will disable the cache and query the database for every request.
This may have a performance impact.

Then stop IIS Admin Service (IIS4 and above) or World Wide Web Publishing Service (IIS3)
from the control panel and restart.

This really isn't recommended because of the performance issue.
It will not work if for example you are using cookie-based login, where the passwords
need to be decrypted and/or hash-matched first.

NB: This ability
is intended to help ease the transition
to a database with single username/password combinations.
It works for the most common scenarios, but
may not be fully supported for all functionality, for example cookie-based login with ODBC.
Additional custom upgrades may
be required, if you wish to persist in using multiple passwords with a single username.

Alternatively:

You could use the "By COM" option (with the
Extensibility SDK),
and specify the Option: "Call On Every Request". This option
will bypass the built-in username/password caching, and you can
check usernames passwords etc with any scheme you wish.

Q.
How are ODBC and Internal Database groups related?
How do I setup using groups with my ODBC database?

A.
ODBC users and Internal Database Groups are not related at all!

If you are using ODBC and you want groups, then make groups a part of your database,
and the use the custom select statement for each directory

Add a field to the usertable indicating the access priviledges for that users. This could be a
hierarchical priority level ("A", "B", "C") or group membership ("Vendors", "Wholesalers", "Customers").

Then use the
custom select statement
on each directory you want to protect, setting the select statement to reflect the group, eg
Select Password from Users Where AccessLevel='Customers' AND user= etc.

Q.
I am using the ODBC interface with Oracle, and when I hit the Test button
it doesn't work :-(

A.
The DSN setup does not automatically add the password field to the DSN string.
Try adding
PWD=password
after the last semicolon in the DSN string, where password is
the password you use to access the database.

Q.
I get into the the protected area, but it keeps re-prompting me
with multiple prompts for a username and password.

A.
Always make sure that Basic Authentication in IIS/MMC is turned off.

If you are including images, make sure the images are in a sub-directory of the
protected area.

If you are using frames, make sure that all the frame components are in the same directory,
and that it is the same protected directory.

When you are prompted the second and third time, what is the realm indicated in
the prompt dialog? If it is not the same as the one set by AuthentiX, there is a file
being protected by IIS/NTFS. When you escape out of the prompt, you should see an Access Denied
message. If this is not the one you set with AuthentiX, there is a file
being protected by IIS/NTFS.

If you are using ODBC to validate users, and you are getting reprompts
that cannot otherwise be explained, try setting the "Impersonate NT User"
in the ODBC settings for that directory's protection, to an NT account that has
valid access to the database.

Windows2000
With Windows 2000,
Everyone has only list permissions within the
inetpub directory by default, even though the advanced properties say they
have read and execute, they are not inherited by default like in IIS4/5.

AuthentiXISP / WebQuotaISP

If you are protecting content on several drives using Basic Authentication, make sure that the
realm is the same for each.

HTTP Keep-Alives
Try turning off HTTP Keep-Alives, some filetypes (eg pdf files) will multiple prompt,
because the browser asks for information in 1mb chunks (or thereabouts), but only
supplies the username and password for the 1st chunk,
which will cause multiple prompting. Sometimes quitting out of the 2nd and subsequent prompts,
allows you to see the file anyway, which is what you want, but is somewhat disconcerting.
You turn off HTTP Keep-alives by going to the master properties for the website (In IIS/MMC) and
turning off the corresponding checkbox.

Q.
The software keeps prompting me (three times or more!) on the page in the protected directory.
It is a terrific page, it's got stylesheets, framesets, a whole bunch of
cool gifs, all the latest stuff and more.
Why am I having problems?

A.
Likely you are including something outside of the protected area,
the browser is sending the credentials (username/password) to the
non-protected area, and IIS thinks it should authenticate the
request, but it doesn't recognise the AuthentiX username/password.
This is why you are seeing the pop-up dialog with a different realm than
the
realm specified in AuthentiX.

Alternatively, you could be using a complex set of html/asp features, that
is confusing the browser, so that the browser is sending authentication information
in the http header when it should not be, or failing to send authentication information
when it should be.

Create a directory with just one simple htm file in it. Protect it with
AuthentiX and see what happens. If all is well, add a graphic and an <img
src>
tag. If all is well, keep adding things from the page that is not working
right, one by one, until you get the problem. The last thing you added after the last
edition that was working right is what is causing the problem.

You could also try turning on NT Security Auditing for the directories and files in question,
and check the event log for more information.

One user reported that turning on logging would stop reprompts (!). As far as
we know there is no possible relation between logging (which happens right at the
end of a request) and authorization (which happens right at the start). We have only
heard of this one time, but if it happens for you, let us know...
Another user reported this (Windows 2000/IIS5), and turning on logging fixed it! (10/1/04)
And a third (Windows 2000/IIS5/SP4).

An additional workaround (particularly useful for users experiencing problems with Excel, PDF,
and Word files) is the following:

If you are reprompted for excel files, but not for jpg s in the same directory, then it is most likely
an issue of how the excel file handles the authentication.

Q.
I have been able to protect Real streaming files with WebQuota
by saving them as .rm files .... but my visitors receive a double prompt for a username and password
the first time they log in. How can I fix this?

A.
This is a fairly easy solution. To eliminate the double prompt, you will need to create a redirect page.
This redirect page will get the current username, form a link
with the username and password hard coded within
it (user the format http://username:password@www.website.com/filename - but see here),
and redirect the user to that link.

Instead of linking directly to the .rm file, link to the redirect. You members will not know the difference!

create a value called traceAccessDenied, of type DWORD, and set it to be 1.
Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the control panel.
You have to stop IIS Admin from the control panel/services, not just a subweb in Internet Manager.

Try logging into the page again. When it fails, check out the application event log.
You should see various extra entries and they should say things like this:
The description for Event ID ( 0 ) in Source ( Flicks Denied ) could not be found.
It contains the following insertion string(s):
Denying *Empty user name* for F:\x1\x2\graphics\index.gif, protecting path is f:\x1\x2\
or
Denying Raxer for F:\dir1\dir2\graphics\index.gif, protecting path is f:\dir1\dir2\

Inspect all the values and output generated,
they should give extra clues as to what is going on.

First you need to setup your website, either on your own machine
with your own dedicated internet connection, or with one of
our recommended ISP's.
Create a directory containing the
content to which you want to sell access.

Protect your saleable content directory with AuthentiX
and an AuthentiX internal database group. This group should
match the group coded in the free script mentioned below.

Use one of the free Credit-card-clearer
AuthentiX integration scripts
(each credit-card clearer has a slightly different version).
Work with your selected Credit-card-clearer to make
sure this is setup right for your environment and works for you.

Use the html order form supplied by your selected Credit-card-clearer to
let customers order access to your protected content.

The combination of the free integration script, your credit card clearer,
your ISP (if appropriate), and the order form will allow you to
automatically sell access to protected pages.

Other notes:

If you just want automatic signup, without charging money,
as with the signup for AuthentiX and WebQuota (which uses
the email address as the username and sends an email to the person signing up),
then check out the sample
in the installation directory
"\ASPocxSamples\WebQuota Signup Sample"

If you want to send additional emails to yourself, confirming various other order
details, then you can modify the free installation script,
which is called after the order is accepted, and before the customer
is granted access. See the bonus OCX method
SMTPSendMail
or the dedicated email products
OCXMail
and
ocxQmail.

If you want to signup users for 30, 60, or 90 days, then carefully
refer to the
signup sample
and modify the free signup script appropriately.

If you have, or anticipate a large number of users, consider
using an ODBC database instead
refer to the
ODBC signup sample
and modify the free signup script appropriately,
and refer to the
ODBC FAQ
and related documentation.

Flicks Software products as of 12/16/98 use the latest version of the mfc42.dll support file from Microsoft.
The products come with and require the latest version of the
mfc42.dll dated 9/26/98, size 995,383 (File Manager - winfile.exe) 973k
(Explorer), File version 6.00.8267.0, product version 6.0.100.

Exit the installation program.

Make a backup copy of mfc42.dll (likely location: C:\WinNT\system32\mfc42.dll)

A.
Several customers have reported that
Office2000 does not work properly with Basic Authentication,
whether it be AuthentiX Basic Authentication, or the Basic Authentication
provided by Microsoft in IIS.

Office2000 will prompt for Basic Authentication username and password
even though this has already been supplied for the requested directory.
It may prompt a second time.

If you have already supplied a username and password to get access
to the contents of the directory, then it doesn't matter whether
the username and password are entered again (ie you can escape out
of the pop-up prompt) and you will be able to view the document.

If you enter the URL of the document directly, it will require
a valid username and password, however IE will present the document
as a stream of binary data.

Needless to say, this is a less than satisfactory user experience.
Contact Microsoft to ask when they will provide a fix.

Q.
How to setup SQL database on a different machine, not on the webserver itself. (Can also
help with a W2K3 SP2 permissions issue)

A.
Hopefully the following will help set this up. Configurations vary so widely it is not
possible to document them all here. Sometimes patience is needed (!)

7/7/2005:
With W2K3 and SP1, two new groups have been added:
Distributed COM UsersIIS_WPG
When you impersonate an NT user when making the ODBC call (usually with an Administrator account), make sure
this account is a member of these two groups.

You will need to use the SQLOLEDB driver, instead of the default SQL
driver normally presented in the ODBC control panel. The SQLOLEDB driver will
not be visible here, and it shouldn't be.

The SQLOLEDB driver is available in the MDAC (Microsoft Data Access Components) package.

Carefully match up the parameters on your connection string with the above example.

You may need to set up the appropriate SQL user/pass to access the database,
as well as an NT user/pass that matches and is good for both machines.
Make sure your SQL account has permissions to access all the
relevant tables and procedures etc.

How to get it right every time:

First, catch your connection string.
The best way to
do this is to create an ASP/ADO page on the webserver,
that connects to and reads from your Database.
Likely you have already done this in order to add/change
usernames/passwords in your database from the web.
If not however, there are many excellent
resources to help get this setup, including www.wrox.com,
this
great article at 4guysfromrolla,
www.asp101.com (especially
this
article on connection strings), aspAlliance.com, etc.
and Microsoft articles! BEGINNERS will enjoy
this article from WebMonkey's Jay Greenspan
Also see http://www.connectionstrings.com/.
If these don't help, then since you are using only
ASP, ADO, SQL and these are all Microsoft products
they will be able to fix you up, (probably for a Tech Support fee though).
Even so, most of the bases are covered by referring
to the format of the SQLOLEDB Connection string above (and below).

In the ODBC setup dialog, paste this connection string into the Text Box next
to the Data Source button.

Use Standard Select to begin with.

Press the Table button, it should come up with a list of Tables in your database.
This is the first hurdle to overcome. Should there be permission errors, try
the "Impersonate NT User" Option, and check your SQL user/pass.
Note also, that if you check the "Impersonate NT User" Option, the Test button
may fail, however, the actual filter database access can succeed. Give it a try.

Fill out the username and password fields.

Press the Test button. Check and resolve any error messages.

Now try to access the protected directory via the web (http).

If it doesn't work perfectly, check the "Show reason in access denied" (Options dialog), and
try again.

If this doesn't help, check the Application Event Log for clues.
Perhaps the NT user you are impersonating does not have
"Act as part of the Operating System"
advanced user rights. If it doesn't then add them (if you are logged in under that account, logout/login or reboot
to apply the changes). The same goes for the
"Log on locally" privilege.
Otherwise you will likely get "[1314]A required privilege is not held by
>the client" when using the Test button.
To add privileges: Control Panel, Administrative Tools, Local Security Policy, Local
Policies, User Rights Assignment. (Phew! knew where it was in NT4, took some finding in W2K!).

If this doesn't help, open the SQL Profiler, and check the SQL
is getting through to the server and correctly executing.

A few things I experienced went against the FAQ page, and I thought I'd make note of:

1. Your FAQ #94 needs an equal sign after the "driver" in the first example, as in "Driver={SQL Server};".

2. SQLOLEDB would never work, even though several combinations of the connection string worked in ASP.

3. It wasn't clear that integrated NT security was not required.

4. While I was trying to get integrated NT security to work, I kept getting "A required privilege
is not held by the client", even though the user I was using had both "act as operating system"
and "log on locally rights", and also had full control of all databases, which was all set up
prior to installing AuthentiX.

Q.I have some questions about ODBC caching.
I understand that the ODBC user requests are cached and there
are settings to control expiration etc. If the request is authenticated
from the cache does it look it up again real-time? (i.e. if a currently
logged-on user changes password and the user id is located in the cache,
will it re-validate or what will happen?

A.
From the windows help file:

If you have set up and enabled an ODBC authorization database
(see Set Up ODBC), you can adjust the following options:

Minutes to discard old users (default = 10) — If a user has not accessed a protected directory
in this number of minutes, the user is deleted from the cache.

Minutes between forced user lookup (default = 60) — Determines how frequently to check a user’s
username and password. This feature makes it possible to “kick out” a user who has been accessing
a protected directory continuously for a very long time. You can change his or her password.,
and after the number of minutes entered here, the user’s name and password will be checked
and the user will be denied access to the protected directory.

A.
The software notifies IIS of the username of each authenticated request, and
then IIS will place this info in the IIS configured logfile.
Note that with IIS4,
by default you will be using
W3C extended logging format by default,
and you must click on the Properties button, go
to the extended properties tab, and enable the Username checkbox.
Otherwise usernames will not appear in the log.
Refer
to your IIS documentation for more details.

See also the Options/Audit button, to have AuthentiX create an audit log in the text file you specify.

Our company, like so many, is rushing to migrate all of our existing web applications from ASP to ASP .NET.
However, this process is taking time as we strive to manage our new project development and still migrate old development.

With that said, we need to put an authentication process in place that will work
with our new .net web applications and old ASP applications.

Our hope is to create a single portal that will authenticate a web user and then give them
links to access all of our different online applications (both ASP & ASP.net).

All of our applications are running on a single server. (Windows 2003, SQL Server 7, IIS 6)
The applications are however running under different websites. We have approximately 5 different websites.
We are currently working to combine all of the applications and sites into a single website as we migrate everything to .NET.
However, that currently isn't the case.

Our Need: We need to authenticate the user one time and then allow them to move between the different
applications. Again, some of the applications are setup within different web sites and some are ASP others .NET.

set this up per the instructions and note how the easyloginnow.asp works - it receives the username
and password from the login form, and creates the AXCOOKIELOGIN.

You can modify easyloginnow.asp so that it also sets up session variables etc that are required
for your other mechanisms. Or you can take another .NET login aspx file, and modify that to create
the AXCOOKIELOGIN as is done in easyloginnow.asp.

Q.
I am using
MS Proxy 2
and IIS. We can get to the member area from our
internal network, but not from the internet.
I am prompted, and a valid supply username and password is supplied, then I am
asked a couple more times, and eventually it is as though an incorrect

A.
Hi Kevin!

I have finally solved the problem. It was the Proxy server that caused
the problem.
As I mentioned before we access our webserver through a proxy which is
on a different domain. This is why everything worked internally, since
the proxy is never used for internal traffic. This is what happens.

When trying to access the protected directory, AunthentiX displays the
login dialog.
When the user clicks OK the web service on the proxy tries to login with
the username and password entered. This will of course not work, since
no such NT user exists. What you must do is to uncheck the Basic (Clear
Text) and NT Challenge Response in the web service on the proxy server
(the proxy server uses the web service to authenticate users). Once this
is set, all authentication is forwarded to the real web server. This
regards IIS and MS Proxy 2.0 I don't know if it would work in the same
way with IIS 3 or Proxy 1.

Q.The REMOTE_USER environment
variable is not being set for CGIs if a directory is protected by
the software. How do I get the login name?

A.
This is to be expected. If REMOTE_USER was set,
then IIS would try to authenticate against NTFS, which would disallow all entry.
Instead, you can use the OCX component to find out who is logged in,
http://www.flicks.com/authentix/currentusername.htm
You should be able to add the component to your cgi program.
or you can get it out of HTTP_AUTHORIZATION and then base64 decode it.

Q.
When I start the program, I get
"Could not CreateDispatch (21434),
did you regsvr32 on the dll containing FlicksIISInstall.Install"

A.

The automated IIS filter install (which is
not working for you), requires a vbruntime dll MSVBVM60.DLL,
which is missing from your machine.
The required vb runtimes are included any machine that has IIS4 (and above) installed,
however they must have been removed since the IIS4 (and above) was installed.

Q.
I am going to
upgrade
and I want to make sure that
installation will not overwrite my existing setup and configuration.

A.
The setup and configuration information is stored in authxdb.adb in
the installation directory (authxISPData/*.adb for ISP versions).
Make sure you backup these files at regular intervals and before you
upgrade.

So long as you uninstall and reinstall to the original installation
directory, your configuration will be preserved.

If you are using WebQuota and have set additional IP Addresses in Options/AOL-Limit-Logins,
you need to copy the machine's list of IP Addresses out of the registry, using regedt32.exe, here:
HKEY_LOCAL_MACHINE
/Software
/Flicks&nbspSoftware
/AuthentiX
/1.0
/AuthentiXConfig
/mzAOLData

AuthentiX ISP is for Internet Service Providers who need to support multiple customers each with their own community of users.
Each customer is able to remotely administer access to their subdirectories
(and only their own subdirectories)

Each customers database of usernames is separate
and private from others.
Customers are distinguished either by their domain's IP address, or by their host-header domain name.

If you have multiple customers, and you administer their username/passwords yourself, you
could use AuthentiX with the unlimited DSN license.

However if you want them to do their own administration and
it is important to you (or your customers) that each
customer is unable to edit another customers
usernames/passwords/configuration, then you would use AuthentiX ISP.

Q.
I have heard a lot about AuthentiX and it sounds great!
Our website hosted at an ISP/WPP (internet service
provider/web presence provider).
Can we use it on our website hosted at the ISP?

A.
Certainly. You need to discuss your specific requirements
with your provider. They will need to agree to install AuthentiX on their server for you.
(Note for the ISP: AuthentiX and its variants are based on
an ISAPI filter, and need to be installed via the console on
the IIS machine your website is running on. Also see the note below about Sharing)
If your ISP is unwilling or unable to install AuthentiX, then
many other ISP providers already offer an AuthentiX plan. Here is
a
list of approved providers that offer AuthentiX/WebQuota ISP.

Sharing: If your website is sharing the IIS machine with several other
of your provider's customers, the ISP version of the software
will be more appropriate. Essentially, the ISP version places
firewalls between each customer so they do not have access to, and
cannot modify, each others AuthentiX configurations. Also you
can only protect directories on your own website
(and not other people's websites on the same machine!).
Consequently, your provider may not permit you
to use AuthentiX, and may require you to
purchase AuthentiX ISP 5-pak.

A.
Try running flicksUninstall.exe in the installation directory. If it complains
that it cannot find mfc42d.dll, then you need to download the latest
flicksUninstall.exe
Overwrite the one in the installation directory. Then try uninstalling from
the control-panel again.

Q.
I have tried to install the latest version of the software, however it
still comes up with the old version!

A.
Are you sure you installed the correct zipfile? If you have just
purchased the software and are installing over the trial
version, are you sure you are installing the software sent to
you?

If you are sure you are installing the correct version,
then perhaps the old files are still 'hanging' around.
There are several reasons this could happen, for example you
may have forgotten to stop IIS before the installation procedure,
or the Windows console GUI app was still running.

Try the following to reinstall:
Stop IIS from the control-panel/Services. Make sure you stop IISAdmin service
and say yes to stopping all sub-services (including IIS).
Make sure the AuthentiX/WebQuota Windows user interface is closed.
Make sure no other programs are using any AuthentiX/WebQuota OCX/COM component.
Uninstall from the Control-Panel/Add-Remove Programs.
Install the software again, making sure you use the correct zipfile.

If this still does not work, then
to make sure you have a clean re-install, copy the
manualdelete.bat
from the installation directory to a separate
directory, stop IIS and the console app, and uninstall from the control panel.
Modify the manualdelete.bat file to reflect the directories of
your installation/machine configuration, and run it.
If any of the files fail to be deleted,
then they are still being held open by another process.
Rename the offending files, and reboot.
This should guarantee that the old files are gone.
Then install the software.

In the last resort, make a backup of any/all adb files in the
installation directory, delete the entire installation directory,
and in the system32 directory delete the following files:

Q.
I'm using IIS6 and I get
"An attempt was made to load the filter but it requires the SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not
supported in
Worker Process Isolation Mode."

create a value called ENABLE_SUBWEB, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service.
You should then get a message in the event log saying
"SF_NOTIFY_READ_RAW_DATA turned off", rather than the above message.
(This is the default in 5.5k2 and above).

The worker processes that indicate to the system that IIS6 are running are not activated
until an actual http call is made. If, on installation, it doesn't seem to be working, try
protecting a directory and seeing if it is protected by making a request. It should be fine.

We have found that this can occur when using Terminal Services to remotely access
the server machine. Version 5.5b2 and above eliminate this glitch.
For prior versions you may continue to use the Browser-based administration aspAdmin, or
use alternate remoting software such as PCAnywhere or Remotely Possible.

The issue is normally related to permissions issues, depending on the security regimen implemented on the machine, either by corporate policy, or by any of the many service packs. Each of the latter seems to make undocumented modifications to the security structure, and vary between service packs.

The problem is caused by one of two things:

1) The Windows GUI does not have permission to update the authx.adb file.
This is relatively easy to fix by making sure the authx.adb file and its parent directories have the permissions necessary to update the file.

2) The global mutex that signals all applications (particularly the AuthentiX ISAPI filter plugin which runs as a part of IIS) is not having the desired effect. This is most always caused by permission issues for the global mutex and the permissions of the processes involved (IIS, AuthentiX GUI).
Because the remote admin uses the AuthentiX OCX, which itself runs as part of IIS, the permissions issue is sidestepped.

A customer observed this behaviour:

We were able to restart all IISAdmin services except the http SSL
service while being remote into the server. After restarting those
services and making a change through the GUI, the change showed up in
remoteAdmin.

Permissions could be an issue here. Make sure you are logged in as an Administrator
with
"Act as part of the Operating System"
and
"Log on locally"
advanced user rights/privileges.
To add privileges: Control Panel, Administrative Tools, Local Security Policy, Local
Policies, User Rights Assignment.

In brief, the software attempts to open the Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\Flicks Software\AuthentiX\1.0
but fails the permission check, which generates the Event Log message.
However the system then automatically tries again with higher permissions, which succeeds.

If you do in fact have problems that are related to this please let us know.

Yes, there are cases where the http-header referrer information is not
correctly passed to the server.

It could be because of an option in a browser, a firewall or proxy stripping out the header,
a browser not even having the capability.

One common example is the WMP browser,
which standalone does not pass the referrer to the server,
however if embedded in IE or Firefox it does.
See here.

In the AuthentiX installation directory there are some copies of debug.asp.

Take one of these and put it in an unprotected directory on the target machine. Use the browser
method in question to access this file via http.
If there is no referrer information there, then none is being passed to the server.

If the referrer information is required for access,
but the referrer information is not passed to the server,
then the browser will be blocked by referrer.

Q.
I really like being able to see
who is currently logged in with the aspAdmin remote admin module.
It is in the Access List, where it says "Who's on now" and a link
to "Current Users". It shows me whos on now.
However
I cannot see any currently logged in users even though I know I am logged in!

A.

Go to MMC/IIS and right click on the website and
select Properties. In the Home Directory tab,
change the Application protection level to Low (IIS Process).
Now that asp module will have access to the internal datastructures
in the AuthentiX filter that runs as part of the the IIS process
and you will be able to see the currently logged on users.

Assuming that the software has not expired:
With Windows 2000 (not Windows NT 4.0), the default file permission settings do not
give access to IWAM_machineName or IUSR_machineName.

AuthentiX/WebQuota (Standard):
The configuration file authx.adb does not have write permission
for IUSR_machineName or IWAM_machineName so the remote administration
module cannot update it.

AuthentiX/WebQuota ISP:
The configuration files *.adb in the authxISPData directory
do not have write permission
for IUSR_machineName or IWAM_machineName so the remote administration
module cannot update it.

Grant Read and Write permissions for IUSR_machineName and IWAM_machineName to these files.

This will be done automatically on installation with Versions 5.1 and above.

If you believe you have a registered version, please let us know the serial number.

A.
In IIS Manager, turn on Allow Anonymous (otherwise the whole site will be protected by IIS),
turn off Basic Authentication (You don't want AuthentiX's Basic Authentication to conflict with IIS's Basic Authentication),
Turn on NTCR (Integrated Windows Authentication in Windows 2000) (those using Frontpage will be logging in via NTCR instead).
In the Options dialog turn on "Don't Authenticate Frontpage subdirectories".
Make sure that the anonymous user can access the actual directory, without the software
having protection for that directory, then Add protection.
Make sure the Frontpage filter is loaded after the AuthentiX filter.

For FrontPage 2000 there is an issue with the new virtual vti_bin methodology, if you
are authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
To edit a site with frontpage,
the vti_bin virtual directory must have IIS Basic Authentication on,
however if this is the case users/browsers cannot use the bot without being prompted for
an NT basic auth sign on.
This is because (I think) the browser is sending Basic Authentication creditials
to AuthentiX, but these are being passed to the bot in the vti_bin, and
these credentials do not match IIS NT Basic Authentication credentials.
If you turn off vti_bin IIS Basic
Authentication, the bot will work for the user, but you won't be able
to edit the site with FrontPage.
It is better to use ASP solutions rather than bots, when you are
authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
If you must authenticate FP with IIS Basic Authentication (and not NTCR (Integrated Windows
Authentication in Windows 2000)),
and you must use FP bots, and you cannot have 2 IP addresses, then you have
got a problem that cannot be resolved at the
present time (8/3/00).
Better to:

Thanks to all for taking the time to give me the full info on this issue. I
tried Kevin's 'Map Request to NT User' suggestion on the _vit_bin directory
and the results were the same...NT still popped up a dialog to validate an
NT user.

I gave it some more thought and came up with a workaround that I can live
with. I have a public and a private part to my web site. I don't want the
general public to be able to search the entire web site, only authenticated
users from the protected site. What I did is relocate the Search page
containing the bot from the protected directory to the root unprotected
directory. The Search page runs fine there. Most of the links to navigate
to the Search page still come from a page in the protected directory. I had
just one link to the Search page from the Site Map page in unprotected site.
I revised the Site Map link to instead go to a search_redirect.asp page in
the protected site, which after causing User authentication does a redirect
to the Search page in the unprotected site. If some public user figures out
how to directly type in to the search.htm
they will be able to bring up and run the Search page. However, they won't
be able to follow any results links to content in the private site, without
getting authenticated. That's good enough for me.

Thanks again for your help. I've been very pleased with AuthentiX and the
hosting support I've received fro CrystalTech. I'm rolling out the finished
web site this week!

A.
If you are on the same local network, this will appear to be the
case because (like IE) Frontpage will log you in "behind your back"
as your current Windows login. If you try accessing the
site outside your local network, you will see the protected
behaviour as desired.

A.
That's right. Around 2/2004 Microsoft issued a security update for IE which disallows this form of URL.

The most likely workaround is to convert to using forms-based/cookie login, and
modify the easyloginnow.asp to accept the username/password from the source of your choice, rather than
the usual login.htm page.

For example, instead of using
http://username:password@www.mydomain.com
use something like
http:/www.mydomain.com/firstfile.asp?u=username&p=password

then grab the u/p out of the url string, and use these to set the cookie for cookie-based login.

Be aware that this method of passing in a username and password is vulnerable to simple copy/paste attacks,
whereby the URL can be posted on forums to effectively destroy your security.
Note that VideoQuota is soon to
have "TimerTokens". (VideoQuota includes AuthentiX/WebQuota with enhanced functionality.)
Timertokens are generated on the fly, and contain the username and password encoded,
along with the current time, encrypted. VideoQuota decodes and matches up the token,
permitting access only if the token is freshly minted within the last few seconds. Good for links.
This premium feature is only available in VideoQuota, which costs more.

Q.My IIS system restarts every 15 minutes
(OR every 30 minutes OR every hour OR once per day). In the event log I see a message about AuthentiX"

A.

The AuthentiX message is a general message that is created when the system is restarted.

Itcould be because the IIS6 default pool restarts itself once a day.

If this happens very frequently, then the cause of the problem could be related to the Red Worm Patch:

"Speaking of patches, I've read several recent posts on the Bugtraq
mailing list that indicate a problem might exist with the Microsoft
patch listed in Microsoft Bulletin MS01-033. A few people have reported
that after they installed the patch, their systems remain immune to Code
Red infection. However, when an infected system attempts to connect to
their system to infect it, several IIS services (e.g., FTP, the default
Web site, the administrative Web site, and the proxy service) stop
processing." - Windows Security Update

A.
If you're installing the software with Microsoft PWS (Personal Web
Server or Peer Web Services depending on who's speaking), the
installation procedure varies from the documentation.
The Peer Web
Manager application that ships with PWS doesn't
have an option to install filter DLLs, so it has to be done manually.
To install, run REGEDIT or REGEDT32 and locate
HKEY_LOCAL_MACHINE/SYSTEM/
CurrentControlSet/Services/W3SVC/Parameters
and
add a value "Filter DLLs" (note the space between FILTER
and DLLs and leave out the quotes) of type REG_SZ with
a string of
"c:\flicks\authentix\authxfilt.dll"
A stop and restart of the web service and a check of the
Event Log show everything to be running correctly.

One user reports that when the installation process prompts to
confirm IIS4 (and above) is detected, click the "No" button. This only applies
to PWS.

Q.
I installed the software, and it was protecting membership areas just great.
But then it just suddenly stopped working :-(

A.
Likely you have installed the request limited trial version. You will see
that the Requests Remaining indicator in the Windows Console GUI will
have dropped to zero. The Application Event Log will have a message containing
"Demonstration request limit exceeded". You need to stop stop
the IIS Admin Service (IIS4 and above) or World Wide Web Publishing Service (IIS3) from the control panel
and restart, or purchase a licensed version.

Another cause may be the permissions on the adb configuration files.
Go to the remote adminisatration
and click on the Administrator Settings.
If there is red text saying "Error 5" or similar, then this is a permissions issue.
Make sure that Everyone has Full Access to the installation directory and everything below it.

The main dialog of the Windows AuthentiX GUI should have a message at the top
saying "The filter is loaded and running correctly".

Even so, go the MMC for IIS and right click properties and click on the Filters tab.
The ISAPI filter should be loaded, and should have a green "go" arrow beside it.
If you are using a time-expiry version,
make sure that the software has not expired - look in the About Box,
If you are using the request-limited (990) version, then perhaps the
request limit has been reached - look in the About Box to check and if so, restart IISAdmin.

If none of the above apply, then far and away the most common issue is the following:
You are not protecting the same directory you are accessing via the browser!

Make sure you are accessing the files via http.

Make sure you are accessing URLs on the same machine
that you installed AuthentiX on!

Make sure you are protecting a directory on the same hard drive as
the directory that IIS is using!

Make sure you are protecting the same directory you are accessing, even though
it is on the same machine and the same drive!

Often a second administrator has
reorganised the webroot and/or IIS virtual directories without you knowing.
Other times you may be
attempting to protect a backup or "staging" set of directories.
It is all worth checking.

IE will sometimes
log you in with your current login without telling you.
Try using Netscape or
turn off NTCR (Integrated Windows Authentication in Windows 2000).

Q.
I want to install the software on a second machine because we are moving the website
to this new machine. How do I move the AuthentiX/WebQuota settings to the new machine?

A.

For AuthentiX or WebQuota Standard

Look for the adb (AuthentiX database) file in the existing installation directory.
Create the new installation directory on the new machine.
Copy the authx.adb file to the new installation directory.
Then install the software into this new directory,
using the zip file and serial/reg codes you used for the original installation
(or the zip file that was recently sent to you, if you just upgraded).

You can find the serial number in the About Box.
If you do not have the original
zip file, then you will need to
upgrade
- Flicks Software does not provide backup
services.

The settings will be ready and waiting.

If you try to copy the authx.adb to a machine that is running IIS &/or the
AuthentiX Windows GUI (or any other programs holding open AuthentiX files)
then it will not succeed. You must stop all these programs first.

For AuthentiX or WebQuota ISP

follow the same process, but move the entire
authxISPData directory to the new machine. If the IP addresses change,
then rename the individual adb data files to the corresponding new
IP address.

With Version 5.8 and above, all adb files are compatible, and can be interchanged using the above guidelines.
Upgrade your target software (Standard or ISP) as necessary, and use a free trial download for
the old software to convert the adb file to 5.8 and above format.

Note: if you originally order the software "by IP Address"
and you want to move it to another machine, then you will need to
purchase an
upgrade
. Be sure that you are able to accept large
attachments up to 4MB.

In WebQuota, if you have set additional IP Addresses in Options/AOL-Limit-Logins,
you can copy the old machine's list of IP Addresses out of
the registry, using regedt32.exe,

Q.
I cannot completely uninstall. I am having problems uninstalling.
How do I manually uninstall?

A.

Possibly you now have less permissions than when you first installed.

Make a backup copy of your
authx.adb files (or *.adb for AX ISP), if you want to preserve the
configuration information.

Go to Control Panel Services, Stop IISAdmin and its subservices (ie IIS).

Check that the Event Viewer is not running.

Close the AuthentiX Windows GUI if it is running.

Close all Microsoft Management Service Consoles

Now double check:
Go to the task manager, and look in the "Processes" to
see if there is any AuthentiX application running, or IIS
or Event Viewer process running? (Authx.exe or inetinfo.exe)
Close all Microsoft Management Service Consoles (MMC.exe).

Uninstall the software. Look in the installation directory and make
sure only the authx.adb remains.

Go to the system32 directory. If present, delete the file authxdb.dll and the
file axodbc.dll (for AX ISP this will be axispdb.dll and ispodbc.dll).

If there are any files that cannot be deleted then rename, and reboot.

Then install again.

Make sure that the installation directory is populated with the installation files.
Make sure that authxdb.dll and axodbc.dll are in the system32 directory,

Q.
I'm running IIS6, and after I install the software nothing works!
You pop up a dialog box saying IIS needs at least one request
to activate, but I can't make any requests at all. IIS6 just hangs.
What shall I do?

Uninstall AuthentiX.
Manually add the ISAPI filter dll fromt the download above.
In IIS Manager, click on the machine name, then right click on "Web Sites", properties.
Click on the ISAPI Filters tab, and add the filter dll.
Stop IISAdmin (not just IIS) from Services, then start World Wide Web Publishing Service.

If this filter also stops any requests from being served,
then no ISAPI filters can be loaded on this machine.

Very often, the software will run fine on one W2003 server, but not on another,
suggesting this is a permissions issue.

Possible solutions:

1) Previously we have found that the C:\ does not have sufficient permissions,
"Everyone" should have
at least read and execute permissions. Check this first.
It can eliminate a nasty problem with an Application Popup error in the system event log.

Alternatively, try changing the Identity of the application pools.
2) In IIS Manager, click on the machine name, then click on "Application Pools".
Right click on each, click on the Identity tab,
and change the Predefined account to "Local System".

Q.
Once we have installed and incorporated the
evaluation version will we have to redo
the configuration
when we upgrade
to the purchased version?

A.
So long as you install to the original installation directory,
your existing configuration data will be preserved.

If you are using WebQuota and have set additional IP Addresses in Options/AOL-Limit-Logins,
you need to copy the machine's list of IP Addresses out of the registry here, using regedt32.exe:
HKEY_LOCAL_MACHINE
/Software
/Flicks&nbspSoftware
/AuthentiX
/1.0
/AuthentiXConfig
/mzAOLData

Q.
I'm using IIS and I think I've loaded the filter, but it doesn't seem to be working!

A.
Check the event log. If you get a message like:

"An attempt was made to load filter
on a server instance but it
requires the SF_NOTIFY_READ_RAW_DATA filter notification
so it must be loaded as a global filter."

Then that means that you have tried to load the filter on a sub-web. It
needs to be loaded at the machine-level, as described in the installation
instructions.
Try loading it as a global filter at the machine-level, as suggested.

Q.With Remote Administration I get Code is [5] Access is denied. The file could not be accessed.
And I cannot get ASP to add users, or get any changes to 'stick'.

A.
Make sure that IUSR_machinename and IWAM_MachineName have full
access to the installation directory particularly the authx.adb file.
For AuthentiX ISP access must be granted to the authxISPData directory.
If that fails, then you may need to turn on Security Auditing
to see which account is trying to gain access, or grant Full Access to Everyone.

Q.
I get the message:
"There is a problem (DomainEnabled returned 5). Unable to write to the
configuration file. Ask your ISP Administrator to grant read and write
permission to the AuthentiX ISP configuration data directory. Check the
Application Event Log for details. "
What do I do about this?

A.
Make sure you grant read and write permission to the AuthentiX ISP
configuration data directory for everyone!

Q.
Sometimes, little features, like
hover buttons
and other items are protected when they shouldn't
be, what can I do?

A.
You can solve this by AuthentiX-unprotecting both _overlay and _derived subdirectories which
FP2000 use to replicate graphics in a theme throughout the WEB-application. Such directories may
change from time to time, depending on the version of Frontpage, so check which need to be unprotected.

Q.
When I use the Software to protect a subdirectory of a
frontpage directory, I cannot edit it with Frontpage (or Visual Interdev)!

A.
In Internet Service Manager, Turn off Basic (Clear Text), and turn
on NT Challenge response. The Software will validate for Basic, and
let through NTCR (Integrated Windows Authentication in Windows 2000) requests that Frontpage uses.
If for some reason you must use Basic (Clear Text) for Frontpage
editing, look in the Options dialog. You will see "Don't
authenticate Frontpage subdirectories (with _vti_ in them)
even if they are in a protected directory."
Check it.
If this still does not work, try creating an AuthentiX "root user"
with the same username and password as the NT user that administers
the website. Grant permission for that user.

One customer reported that if the username/password in Frontpage is the exact
same as the one in AuthentiX, an AuthentiX prompt appears, although escaping
out will let you in no problem.
To fix, make the username/password different in each.

Subweb by Frontpage, user1 is username is the same exact as in
AuthentiX and Frontpage admin it prompts.
Changing the Frontpage username/password fixes this.

Make sure the Frontpage filter is loaded after the AuthentiX filter.

If you are using Frontpage for the root of the website, you may also have to
unprotect individual files in the root directory that
Frontpage requires access to (eg _vti_inf.html).
Add the file as an AuthentiX protected file and uncheck ODBC and Internal DB protection (both).
Alternatively, just protect those individual files in the root that you need to protect.

There are some situations where IIS Basic Authentication must be used instead of
NTCR/NTFS (Integrated Windows Authentication in Windows 2000) authentication, for example, if there is a proxy server being used.

One solution is to create a username and password in AuthentiX that matches
the NT username and password, and permit the AuthentiX user to that directory.

Another way to approach this issue is to use 2 IP addresses to
access the same website, one for Frontpage only, the other for
the public (but AuthentiX protected) website. Then use AuthentiX ISP (-not-
AuthentiX standard) to protect the public website via the public IP address,
and do not protect the
(private) Frontpage IP address. Make sure read access is permitted for everyone,
and write access permitted just for the Frontpage user.
This may be your only solution if you
want to use Frontpage as well as
CurrentUserName, because
of Microsoft bug Case Number SR X980 2166010 644.

Due to the connectionless architecture of the http protocol, certain
conventions are commonly used to identify a 'user' and a 'login session'.
With http, every request for a page or a picture is separate and distinct.
The common convention to define a 'user' is a sequence of requests from the
same IP address. This is further refined
as being a request from the same IP address
in combination with the username. There is no way for any web server software
to differentiate between a single IP address with the same
username and password, which can happen if the two
users are on the other side of a proxy (their side).
An exception is with the HTTP 1.1 protocol, which allows multiple requests
using the same TCP/IP connection. However not all browsers support this.
Additionally, proxy servers usually disable HTTP 1.1 and dumb it down to HTPP 1.0.

In HTTP a 'login session' is typically defined as
a series of requests from a single IP
address with no break in requests for 10 minutes. This
is the convention the software uses also (adding the username into the mix).

Since some ISP's such as AOL can change the requesting IP address on the fly,
and/or some users will drop their POT connection and dial back in, it may
be a good idea to have the minimum limit login level to be higher than 1. This way
obvious abuse will be detected and prevented, while legitimate users will
not be locked out. In version 4.0d and above, the Options dialog has a checkbox
to consider only the first 3 octects for limit-logins (ie 201.202.203.*) rather than all
4 (201.202.203.204) - this handles the AOL proxy-client implementation where a single
user can have as many as 20 different IP addresses - but all from the same Class C address.

You can manually add this list (if the Windows GUI is too clumsy for you) to the registry
as detailed here

Since version 5.0 of WebQuota this mechanism has been refined to allow a set of Class C addresses
to be specified. This is in response to AOL using multiple class C address in its client proxy
polling.

Q.
Limit logins? How do I get it to work with my ODBC/SQL/mySQL database?

A.
Limit logins is only available in WebQuota.

You have a ODBC database table with username, password fields.
Add another field and call it Blocked, default to "No".
In the ODBC dialog
use the custom statement
and specify the names of your username and password fields.
In the middle text box, have something like this:
"From userAccounts where Blocked="No" And "
with spaces at the end.

In the Limit Logons dialog
open the Update ODBC dialog
and set the DSN, table and username field appropriately.
In the "Field to Update", select the field "Blocked".
In the Update Value text box, put in "Yes".
Then if limit-logins is exceeded, the Blocked field for that user will change from "No" to "Yes",
and the custom statement will return no records, and the user will be blocked from logging in again.

Q.
The proxy server at AOL, etc. are driving me crazy. I am spending too much
time analyzing whether my users are cheating on their subscriptions or just
victims of these proxy servers. I sell individual memberships to technical
data. I only have about 50 users, and they do not pay a lot, but it is
necessary to protect the data. Is their anything that can be done? I have
entered the AOL server ip's, but that effectively allows anyone using AOL to
cheat. Now it appears that there are others doing the same as AOL.

A.
With standard webquota you can use cookie based authentication to better
identify concurrent logins with the same username (better known as password sharing).

Because HTTP is stateless, every request is unique.
What that means is with AuthentiX , each username
is checked for authentication, but there is no way to
tell if it is one user or four users logging in at any one time.
In the past, WebQuota Standard allowed you to look at the
username, and the IP address. This helped identify
unique users (during a session, a username would only have one IP address).
Ah, but AOL and Earthlink decided to change IP addresses, even
mid session. A valid user could now appear to be
coming from different IP addresses...even during the same session.
Enter the new and improved WebQuota Standard. Now you can use
cookies to uniquely identify a user during a session.
This stops password sharing cold.
If you want to create individual threshholds for account abuse based upon username,
then you'll still need to use WebQuota CMCL rather than standard WebQuota.

NEW!! WebQuota nows includes cookie based
Limited Concurrent Logins protection- which prevents password sharing, even
for users with revolving IP addresses!
(Note: if you are upgrading, you will need to get
a new registration code - with FUNCTIONALITY_PER_BROWSER set.
However, if you can see the Concurrency Metering Radio buttons
in the Cookie dialog box, you should be fine.)

Note that this will mean the the Limit-login email warnings will show
the remote IP address as the
session id instead
(of the form "NIN0IANIN0KXNC0KZMQIQIQUMKJAIBNTAIANKZIX0NKY0KX").

Will says:
This works well. I had to add the following line:
' whichType: 1 for per-directory, 2 for sitewide
cookieValue = cookieValue + authx.GetConcurrencyToken(2, cookieName)
Once I added that it worked for AOL accounts.

A.
With Basic Authentication when a request comes in that is for
a protected directory, and there is no Base 64
encoded authentication header, then a 401 Access Denied
message is returned. This should tell the browser to prompt
for a username password and send the results in
a Base 64 encoded authentication header.
If there is a Base 64 encoded authentication header,
then it is decoded and matched against the Internal Database
database. This happens for each request. If
you are using ODBC, then the user is looked up and
the username/password is cached (for a period you
specifiy in Options). The cache can be purged if
you change ODBC passwords on the fly and want the change
to be immediate, using the ASP/OCX method
ODBCRemoveUserFromCache.

With cookie protection, once the user has entered their credentials
via a form, OCX methods set a cookiename and a
cookievalue (both encoded but not with Base 64) and
apply it to the protected directory. When the cookie
protected directory is accessed, the Software looks for these special
cookies, and validates against them.

Q.
I want cookie based login with a form, not Basic Authentication with a pop-up dialog.

A.
Cookie-based authentication allows
you to make various extra settings, such as timeout.
Browsers that do not have cookies enabled will be denied access.
See the dialog here:
cookie.htm
loginfirs t.htm
-->

Note, Windows 2003 requires version 6.0 and above for cookies to work correctly.

The Software comes with samples to help you get
started with cookie authentication:
Look in
the ASPocxSamples\CookieLogin-SiteWide subdirectory of the installation directory.
Map a virtual directory to this directory.
Then use AuthentiX to protect the members sub-directory with cookie-based protection.
See the dialogs above.

Note that if you are using per-directory cookie
login, the urls that AuthentiX checks are case sensitive,
make sure that links into the protected area are all lower case (or match the case
of the directory you specified when setting up the cookie).

If you suspect the cookie is not being correctly passed to the server, setup cookie
protection as normal, then place debug.asp (there are several of these in the samples directories)
into the protected area. Then -remove- the protection in AuthentiX (you can just rename the
directory in AuthentiX to keep your settings), and redirect to the debug.asp. This will show
you what cookies have been set. Remember to View Source, because the angle brackets in
the cookie value will be interpreted by the browser as failed html tags.

If you are having problems with your implementation of cookie-based protection,
go back to ASPocxSamples\CookieLogin-SiteWide, and protect the
members
subdirectory.
This will work, then step forward
to where you want to be.

Please do not call or email tech-support with a whole set of asp files you
have created saying "it does not work - help". We are not equiped to
handle this kind of enquiry unless it is on a consulting basis.

If you are having problems with your implementation of cookie-based protection,
go back to ASPocxSamples\CookieLogin-SiteWide, and protect the
members
subdirectory.
This will work, then step forward
to where you want to be.

If you are still having problems, and you are authenticating against an ODBC database,
please supply the answers to the following questions:

Yes, with cookie-based login, it is possible to have a user logout.
There are samples in the installation directory for all the types of
cookie-login.

If you need the logout capability, we recommend turning off keep-alives on the server, because
requests will continue to be served even after the user has logged out.
Credentials are only requested at the start of each stream,
which can last over several requests with keep-alive on.

If instead you need to use keep-alives then we need to tell the
server to terminate the keep-alive from the logout.asp page.
Add the following 2 lines to the end of the logout.asp:

response.buffer = true
response.flush

This will tell the server to terminate the connection, and fresh credentials
will be required from now on.

Also remember that cachable pages will remain in the browsers cache, until it is emptied.

Q.
I notice that once I have entered a username and password
to access a directory, I don't have to enter it again.
Because several people share each computer/browser that access the
directory,
how do I turn this caching off?

A.
You are using Basic Authentication, and the browser caches the username and password.
Browsers differ in their behaviour, but they will always cache
a username/password for a URL directory until they are closed.
Some will save the cached information for when they are
restarted, although this is usually configurable. If you could turn caching off,
you would be prompted for your username and password on every request for
each file and image!

Q.
With Cookie based protection, I am trying to get
the cookies to be persistent, but they always seem to expire with the session.
I don't want the user to log in each time they come to the site.
How do I make the cookies persistent?
A.

Q.
I am protecting a directory called "secure" with cookies - it works
with IE but not with Netscape!
A.

Netscape doesn't transmit cookies to directories called "secure".
Or in fact any directory with "secure" in it, eg "secureRoot".
Bizarre but true.
Rename the directory and protect that instead (remember to change the
values in loginnow.asp).

Q.
I am using "site-wide" cookie-login, but the
if the the directory just below the root directory changes case,
(for example with a link which goes to the same directory, but with upper-case instead
of lower case letters in the URL),
then the user is logged out!
A.

If you login to a URL like
http://www.yourdomain.com/maindir/area1/members/index.htm
and index.htm has a link to
http://www.yourdomain.com/MAINDIR/area1/members/index.htm
then the AXCOOKIELOGIN cookie is not passed by the browser to the server!

In the easyloginnow.asp file (or your equivalent) add the line:
response.Cookies(cookieName).Path = "/"
after the line
response.Cookies(cookieName) = cookieValue

This explicitly forces the browser to apply the cookie to every
directory on the site, regardless of case. This line is added from version 5.1
on up, so recent users should not experience this problem.
Not sure why browsers behave this way.

Q.
I am confused about cookie-timeouts on the browser, AuthentiX cookie timeouts,
and the limit-concurrent-login timeout.
A.

Yes, there are several different levels, each with their own subtle requirements and reasoning.

The three timeouts you mention are:

1) The browser - on the server you can set a cookie
to timeout after a certain time, which means
the cookie can persist beyond closing the browser, or disappear
while the browser is open if it is
set for a very short time.. With no timeout specified when the
cookie is created it is destroyed at the end of
the session, ie when the browser is closed.

2) The AuthentiX internal cookie timer (which you
can set to be 2 minutes or 600 minutes), which decides
at the server (independent of the client browser) when a
cookie has timeout out, requiring a fresh login.
This is intended for "lower limit" of time,
so that a user is forced to log back in if they
have not been active in a (short) period
of time (maybe they went to the water-cooler).

3) Limit-logins timeout ie whether a "user session" has finished.
This is deemed to be 10 minutes after the last http request.
This is intended for "upper limit" of time, so that a session is deemed
abandoned after 10 minutes. This is useful if a dial-up
connection has been dropped. If you were to increase this to
600 minutes, each dial-up connection that is dropped will
eat up 1 concurrent login - with undesirable results.

The limit-logins timeout works with both Basic Authentication and cookie-based login,
so do not imagine that the internal cookie timer and limit login timer are connected.

This means that a browser could have a non-expired cookie, and yet because there
has been no activity for a while, then the limit-login has timed-out, which
will allow a 2nd user with the same name to login. If the first user tries
to access the protected directory they will be denied access because of limit-logins,
even though their cookie is still valid.

With Limit-logins one user cannot "lock out"
an account, for long periods of time, even though they
are not accessing the site.

However if you want different per-directory restrictions the following will apply:
Determine what groups and directories a
particular user has permissions for when the user
first logs in (loginnow.asp). Then set the correct cookies
for all the appropriate directories.
So you would do something like this:

If you are using the AuthentiX internal database, then conditionally set the appropriate cookies
(within if/then/else/end if)
depending on the USERNAME's groups, using
UserGroups. or
GroupHasUser..

If you are using an ODBC database, then use ADO and set the appropriate cookies based on the
query results for that user.

The directories you set for cookie protection are case sensitive.
If you protect "c:\inetpub\wwwroot\membersonly" links to
"c:\inetpub\wwwroot\MEMBERSONLY\asecretPage.htm" will take you back to the login page
with "Denied_Empty".

Also check out CookieSWValue for an
alternative choice for cookie validation.

Symptoms
On systems with large amounts of extended memory ( <
128 MB of RAM),
Setup.exe will fail to launch. An error message is
displayed stating that
there is insufficient memory available to run the
setup, even though this
is not the case.Cause
When Setup.exe is launched, it first checks the
memory available. The check
it performs was not designed to take into account
such large amounts of
memory, and returns failure.Workaround
You can disable this memory check routine by using
the -z switch when
launching Setup.exe. This will prevent Setup.exe
from reporting any errors
due to available memory.
Note: The -z switch only affects the initialization
process. If you are
performing any memory checking routines later on in
the setup through the
script, they will still function as expected
regardless of whether this
switch is used.

A.
Normally AuthentiX sends a pragma-no-cache with each file that is served in a
cookie-protected directory - if you have cookie-timeouts set, then this will ensure
that a page will not be cached in the browser and available for viewing after
the timeout has expired. With SSL and IE trying to download a file, this causes
a problem and you need to switch the pragma-no-cache off.
(For IIS6 this now also seems to be true for .exe files.)
With SSL, the default setting for all browsers is not to cache
pages from SSL encrypted sites, so the pragma header is unnecessary anyway .

To switch the pragma-no-cache off
add a value in the registry, using regedt32.exe,

of type REG_DWORD with the name CookieStopNoCache
make its value 1 to stop the no-cache.
Then stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the control panel.

Other options are CookieStopPrivate, to stop the "Cache-control: private", and
CookieStopExpires, to stop "Expires: 0"

One user reported that hitting the back button after submitting a form in Netscape
resulted in:

Data Missing
This document resulted from a POST operation and has expired from the cache.
If you wish you can repost the form data to recreate the document by
pressing the
reload button.

To remove this message he used the following options:
CookieStopExpires 1
CookieStopNoCache 1
CookieStopPrivate 0

Q.
Can I install two copies of AuthentiX on two different sub-webs under IIS4 (and above)?

A.

At its core AuthentiX is an ISAPI filter, which needs to be installed at
the machine level (not on a sub-web or the default web). Only one copy of the software can be
installed on one machine. The administration of AuthentiX (Standard)
applies to the whole machine, and if a person has access to the remote
administration module, they will be able to modify access restrictions for
all directories.

AuthentiX ISP separates the administration and access protection by
web-hosted IP address, and each administrator only has control of access
protection for their own IP address, and cannot protect directories that
are requested via other IP addresses on the same machine
(unless each ip address has a virtual directory that points
to the same single physical directory in which case they can).

The browser caches the username and password until the browser is closed.
The Basic Authentication protocol does not allow you to "logout" a user without changing his password.
The Basic Authentication protocol does not support the notion of timeout either.
You could use AuthentiX cookie-based authentication which supports timeouts and logouts.
Also see cookies and tips.

Q.
I have two different websites with different domain names (ie www.abc.com and www.efg.com),
and I only want the user to log in once for access to both of them.

A.

1) If the two domain names are off the same primary domain (eg
roundPeg.maximus.com and squareHole.maximus.com) then
be sure the the
Realm
is identical for both of them. This
should cause the browser to supply the username and password
to both. If this does not work, or if the two domains are different
(eg www.theOne.com and www.theOther.com) then

2) Using Basic Authentication, create an ASP page, which
gets the
currentusername
and
password. Then constuct a URL link of the form
http://username:password@www.theOther.com/protectedDir
- but see here
This link will log them in on the other website.

3) If you are using cookie-based protection, then make the link a POST
and in the form, have a couple of hidden fields which correspond
to the username and password. POST to a non protected ASP page
on the second webserver, have that ASP page set the cookies on
that server, and redirect into the protected area.

To successfully implement a multi domain Authentication model (using the BY NT authentication method),
append the domain name + "\" to the beginning of username. Using this method you are able to
authenticate against multiple domains. For example:

Domain1\userid will query the domain1 PDC for the validity of the
authentication credentials.

A.
Kevin, your FAQ should definitely include a comment in it about installing
from a directory that is longer than 8 characters on machines that have 8.3
filenames disabled. Microsoft says that 8.3 filenames should be turned OFF
for security, and that caused your software to exit with a mysterious
message when I tried to install it from the C:\authentix directory on my
server. The problem is caused by a 16-bit install program that you're
using. You can easily duplicate the problem and the error message by
changing the registry values below, using regedt32.exe, from 0 to 1 (see the URL below for more
info). Try making these changes, and then install from a directory that has
more than 8 characters in its name to duplicate this problem:

Note also that the install application requires the 16bit WOW
Services to be running. If you have removed WOW from the server then the
install will fail.

One user resolved the issue this way:
as a work-a-round I used SMS Installer to package it as a 32bit app and installed it from that.
This has worked with a small amount of manual tweaking such as adding
the filter and copying the authxocx.ocx to a directory off the
root without spaces and less than 8 characters and registering it from there.

A.
ISAPI filters are expected to behave "well", ie pass on all information that they don't use to the next filter.
This is true for all filters, doubly so for Medium priority filters, triply so for High priority filters.

HSphere or H-Sphere installs a High priority filter called htaccess.dll.
This filter behaves badly - it strips out Basic Authentication information regardless of whether it uses the data
or not.

Low priority, well behaved filters like AuthentiX thus do not have access to this information, and
operations like CurrentUserName will not work properly because of H-Sphere. Contact H-Sphere to
report this bug to them.

Open Tech Support Question at
https://www.psoft.net/support/
8/30/05
id 3041-RYJB-2428

Latest response from psoft 9/2/05:
"
You can delete htaccess.dll filter on your own mind, but the reason of this
issue is that we did not support AuthentiX at all.
Dmitry Yatsyk
Windows Developer Team
Positive Software Corporation"

Not a particularly positive response.

In my opinion, not supporting another product should not mean disabling it.
I would urge that you contact them at support@psoft.net.

Possible workaround:
I have not tried this, but making the dll Low Priority and after the AuthentiX filter may help.

A.
First create the user in NT that you'll want to have mapped through
Authentix. Once you've done this, edit your NTFS security properties for
the directory or directories you want protected. If you add a group to the
NTFS permissions, make sure your user is in that group!

In Authentix, click Access from the menu. Then add the directory you want
to protect and map to the NT account. Once added, click on the Basic/Cookie
tab: Choose Map Requests to NT User: and enter the correct NT Username and
NT Password. Then click on By Internal DB tab and make sure you enter the
Authentix group or user(s). Click OK, OK, OK, OK.

Now you'll need to open IIS MMC, Internet Service Manager, to edit the web
site security. Find the web site of interest and open to the directory that
is to be protected. Right-click on the directory name and click on
Properties. Under Directory Security, make sure Allow Anonymous is on, and Basic
Authentication is off, and NTCR (Integrated Windows Authentication in Windows 2000) can be on or off,
however we recommend turning this off if you are having problems.

I can see there is user expiration.
Is there a way to have passwords expire with
AuthentiX?

A.
I am assuming you are using the internal database, but you can make this work with ODBC too.

User expiration and password expiration are really the same thing.
The user will exist even though expired.
Using Basic Authentication, in the access denied page, offer
them a link to change their expired password (among the other sign-up offer links).
With Cookie-based authentication the denied url will indicate
the reason, and you will be able to use ASP
to tell them they have expired, and go to change their expired password.

Then ask them to enter their username, old password, new password.
In the script that processes the form, check their details and if
all checks out, set the new password as well as the new expiration date (if any).

There is a sample that does this in the ASPocxSamples\changePassword subdirectory.

Q.
I want to use Windows NT/2000 Load Balancing Service for multiple webservers in a cluster.
What do I need to consider when using WLBS and/or Microsoft Application Center (MAS)
with AuthentiX/WebQuota?

A.

You will need to authenticate against a centralized ODBC database.

Basic Authentication will work just fine if a user is switched from one machine to another.
Cookie-based should work fine too (the AuthentiX Cookie based protection is not session based,
so there are no worries about
storing sessions in a back end db). However you will not be able to utilize the AuthentiX server-side
cookie timeout feature (setting a cookie to expire on the browser will still work of course).

Unlike session based systems (see the white paper on affinity below) AuthentiX works great on clusters.
If you have any problems, please let us know.

In the white paper for
Microsoft Windows NT/2000 Load Balancing Service,
the section on Affinity and Session Support provides the key information:
"WLBS supports client sessions and Secure Sockets Layer (SSL). If a server application
(such as a Web server) maintains state information about a client session
that spans multiple TCP connections, it is important that
all TCP connections for this client be directed to the same
cluster host. Should a server or network failure occur during a
"stateful" client session, a new logon may be required to
re-authenticate the client and re-establish session state."

So long as the domain name (eg www.domain1.com) remains the same across
requests, then the browser will continue to supply the cookie-based
or Basic Authentication logon credentials in the http request. If you have AuthentiX
installed on each machine in the cluster, then users will not have
to login each time they are served by a different machine in the cluster.

The white paper goes on to say:

WLBS also allows modification of session
support to direct all client requests from a
TCP/IP Class C address range to a single cluster host.
This feature ensures that clients which use multiple proxy servers
to access the cluster will have their TCP connections
directed to the same cluster host. The use
of multiple proxy servers at the client's site
causes requests from a single client to appear to originate
from different systems. Assuming that all of the client's
proxy servers are located within the same 256 host
Class C address range, WLBS ensures that client sessions are
properly handled with minimum impact on load distribution among
the cluster hosts."

WebQuota and WLBS both use this same method
of dealing with proxy clients such as AOL.

Another opinion on load balancing from Adwait Ullal:
"Your best (and easiest, in terms of no coding changes) bet would be to look
at any of the hardware load balancers, such as Cisco's Local Director,
Alteon (I forget the product name), etc.
They usually have a 'sticky bit' option wherein a user coming to a
particular server will return to the same server on subsequent visits."

More info from Hank:
I successfully clustered the Authentix by installing the application on node A while it
has control of the drive array that is swapped between nodes. Once finished,
swap nodes and install the application on node B (GUI and ALL).

Anytime you move nodes, your GUI will work.
Here is the catch to making this work. Copy the flicksflt (sorry am at home and don't remember
the exact name of the filter for IIS)
DLL and the OCX to a location on your C: or OS drive. You will have to go to IIS MMC and
point to the filter that you copied to the C: or OS drive. Do this on each node.

The reason why I had to do this is that whenever the nodes were moved, the web
sites would fail and try to roll back to the node that initiated the move.
I think the reason why this happens is that IIS is not ready because of the
filter DLL and OCX are trying to be started from that shared drive array.
If you move them to the C: or OS drive, IIS is happy because it always has a copy of the IIS filter.

Here are some suggested settings for each. Apply these
settings to each directory you have protected with WebQuota/AuthentiX

Limit concurrent logins enabled checked:
Concurrent logins exceed: 3
Deny Excess checked
Nofify by email checked, fill out the Configure Email dialog appropriately.
If you are using the internal database: Expire account checked
If you are using the ODBC database: Update ODBC Database
checked, fill out the Configure ODBC Update dialog appropriately.
In the main GUI dialog: Options dialog:
Limit-Concurrent-Logins, consider only
top three octets checked

Throttles enabled checked:
Restrict Kbytes served to each user: Checked
Permit up to 10000 kbytes in each 3 hour period.
Restrict Requests served to each user: Checked
Permit up to 1000 requests in each 1 hour period.
Restrict Sequential logins to each user: Unchecked

FYI....Someone from my organization has determined was the problem is. They
have an automatic proxy config script that most users are using to configure
their proxy access to the internet. The proxy is an Inktomi Traffic Server.
When using Netscape, the autoconfig script has no way of setting the exclusion
list, therefore, any subsequest access to any protected site, Netscape deems
this to be an internet (not intranet) site and since the Inktomi proxy server
(or Netscape??) caches the user id and password, it passes that user id and
password no matter what.
Thanks for all your assistance in this matter.

Q.
Can you show me the code you use for the
AuthentiX and WebQuota signup forms
- it sends confirmation email
and adds the new user to the AuthentiX database...

A.

Sure, see the
"ASPocxSamples\WebQuota Signup Sample"
subdirectory of the installation directory for a copy of this code.

The sample asks for the email address,
and uses that as the username, and you can see it in action here:
webquota/freeTrial.htm

It is usually better to use a unique identifier such as their email address
than letting them pick their own username, because if they pick their
own username, you will have to write code to check the username does not
already exist, which is a little more complicated (but easy enough to do really).

Q.
I am using AuthentiX ISP and the aspAdminISP asp web pages for remote administration,
and I am getting -14 users, and other strange results.
In the Administrator Settings, it tells me "This domain has a
bad password (status: 2). See your ISP Administrator".

A.

As the Administration Settings page indicates, the domain has a bad password.
Go to the Windows AuthentiX GUI, select the domain, and click on password.
Make sure the value there corresponds with the value in incl.asp
auth.SetVirtualDomainPassword("")

You can get a copy of the incl.asp by copying from the AspAdmin (AuthentiX Standard)
or AspAdminISP (AuthentiX ISP) directory in the installation directory.

Q.
I just used AuthentiX to protect a directory that I've been working on, and I was
shocked to find that after it prompted me for a username and password,
I could click the browser's "forward" button, then the "back" button and lo!
the protected page appears! Is this a security hole?

A.

This is happening because certain browsers will present the contents of
the local cache when you navigate this way, i.e. if you had previously loaded
the page, and it is in the browsers cache. Clear the cache
when a directory is newly protected to see the normal expected behaviour (and
the behaviour that visitors will see).

If you want to prevent this behaviour at the server-side, you could set the
Pragma: no-cache

Q.
I want to have several different directories, each with different levels
of access (corresponding to an AuthentiX Group),
but I only want users to login once, then be redirected to the appropriate directory
based on their group. How can I do this?
I don't want to put 3 buttons from a free area
because everyone will see the different access levels.

Make sure that index.asp is a permitted default file in your IIS configuration.
Set up a directory structure as follows
/Main
/Main/Group1
/Main/Group2
/Main/Group3

Setup three groups in AuthentiX: Group1, Group2, Group3.

Protect /Main with all three groups.
Protect each subdirectory with its corresponding AuthentiX Group.

in /Main/index.asp have the following code:
Click on this link for code
Then make their first link into the protected directories
/main/ and they will be passed into the appropriate access level directory.

Q.
I expect to have tens of thousands of users, probably many more than that. Is the internal
database the way to go, or how do you recommend I set up the site?

A.
There is no hard-coded limit for the internal database,
however if you have or are planning to have more than about
10,000 users it is advisable to use an ODBC database instead.

The internal database is designed to help get administrators
up and running quickly
For large numbers of users a commercial grade ODBC database such as Oracle or SQL Server
is more appropriate.

Note that you can check both the internal database and an external ODBC database
on a single AuthentiX protected directory. If the internal database doesn't find the
user, AuthentiX will do a lookup in the ODBC database.

Should this ODBC server still prove to be a bottleneck, consider
moving the database to its own dedicated machine. You should
be able to scale the dedicated database machine up as large as you wish
according to the recommendations of the database manufacturer.

If this is still not enough, consider an IP address round-robin system such
as the one Microsoft uses. Then have multiple copies of your website
on several different machines ("web-heads"). Install AuthentiX on each
of them and connect the AuthentiX protected directories to the appropriate
DSN.

However flat-files are not recommended, since ordinary files do not have
mutex protection. Ie someone could have it open in an editor for writing,
and no other process can open it for reading (ie the AuthentiX filter),
so no one can get in.

File based is mainly to help transition to the internal or ODBC solutions.
Not recommend for more than a few hundred users.

The internal database is not a commercial grade database.
It is mainly to help start up easily, prior to transition
to an ODBC solutions. Not recommend for more than
several thousand users.

Q.
I am using files that are played with Windows Media Player.
When they are protected with AuthentiX and Basic Authentication,
Windows Media Player
cannot access them, when using IE, although Netscape works fine.

A.
Make sure you have the latest version of Windows Media Player.
This is a bug with Basic Authentication and older versions of Windows Media player. The Basic Authentication
username and password is not being passed to the player application.
Netscape downloads the file and opens the application on that file, so it works fine.
IE sometimes also has problems with Word files and other files it tries to launch.
Call Microsoft and ask them when the fix will be ready (fixed in latest version). The tracking number
is
SRX 980 722 602 061. Bug number #31612. Some have moved to using a zipfile, or tried cookie-based authentication.

The first thing you want to check and ensure is that your "Realm" for each
protection has the same name. If the names are different that will cause
double prompting (even on the same server).

Another problem (which I believe is probably the one you have) is with the
Microsoft Media Player. This problem has been fixed with the most recent
version of Media Player. You will be double prompted for a username and
password the VERY FIRST time you use the Media Player but if you opt to save
your username and password you will not be prompted again.

Finally... if this doesn't work for you try configuring your IIS server. If
you have footers turned on try turning them off. If you have footers off
try turning them on and point the file to an "empty" file (ie. just a file
with a space of a comment tag). It's a wierd bug... I don't recall which is
the correct solution because IIS4 and IIS (and above) were completely opposite
solutions. I believe you had to turn footers ON for IIS4 and OFF for IIS5 (and above).
Even Microsoft couldn't explain why the footers would affect playing a
movie. :)

Q.
How can I protect access to two dbWeb "schemas"?
A.
mark@apratech.org discovered
that it is possible to protect dbWeb Schemas.

In using dbWeb, and the difference between two "pages" of information
(schemas as they are called by dbWeb) is just in the "command" line. ie)
one is
http://www.apratech.org/dbweb/dbwebc.dll/cvers?getqbe
another
http://www.apratech.org/dbweb/dbwebc.dll/disks?getqbe

as you can see the directories are the same, just the commands to the .dll
are different.

The validation works great, but you just have to leave the parameters
off (every thing
including and after the question mark) So you can control access to two
dbWeb schemas by authenticating the following.
http://www.apratech.org/dbweb/dbwebc.dll/cvers
http://www.apratech.org/dbweb/dbwebc.dll/disks

I found out that the Miscrosoft ODBC drivers for Oracle work much better
than the Oracle ODBC drivers. And also I found out that if I used the
Oracle ODBC drivers for AuthentiX to log into Oracle and then used the MS
Oracle drivers in ASP pages within the AuthentiX protected site it would
crash/freeze IIS. The solution has been to modify all my ODBC calls to
Oracle so that they use the latest Microsoft ODBC for Oracle drivers (mdac
2.0 drivers) instead of the Oracle ODBC drivers.
The MS ODBC drivers for Oracle are also easier to use/install than the
Oracle ones.

I thought you would be interested to know and that you should update your
FAQ.
regards,
Stephan.
Thanks Stephan!

Q.
I am trying to authenticate with the Software and IIS against a database
on another machine on my LAN.
It doesn't appear to work. What do I need to do?
A.
If you are using an Access database (mdb) on another machine,
or an SQL Server on another
machine using "Integrated" security, then you will need
to tell the Software to impersonate
a user that has access to that database.

Go to Options/ODBC, check
the "Impersonate user when accessing database" checkbox, and enter the username and password
of the user that has permission to access the remote database.

If you are using SQL server with Standard or Mixed security, and you have the
username and password in the DSN, you will not experience this problem.

Q.
I am trying to use an SQL database on the same machine which uses trusted (or mixed) security.
The Test button works but it doesn't let me in.
A.
When you are using this model, you will have the same problem and need the
same solution
as if you were
trying to use a database on a remote machine.
Q.
OK, but why is it that only your software needs to do this to access the database? I
have no problems with ASP, Cold Fusion, InfoMaker, Powerbuilder, etc.
A.
It is to do with how the system loads services and the permission it
assigns them. When the IIS service is loaded (and
consequently the AuthentiX filter along with it) it
is given a special identity. This identity only has anonymous
access to local resources. If a service needs resources which
require additional permissions, then the service (and any dll's
it loaded) needs to impersonate a "real" user.
I cannot speak to the other applications you
mention, however if they do not load as
part of a system service, then they won't
have the same kind of requirement, because they'll
be running in the context of a "real" user (just like
the AuthentiX windows GUI, when you hit the Test button).

will succeed using the Test button,
but will fail when trying to Authenticate actual web pages.
Instead make sure you have
select password text: Password
without the Users. part.

This is because the test button merely executes the statement and returns the number of rows.
However when authenticating, AuthentiX binds to the columns of the ODBC result, according
to the names of the fields returned by the ODBC calls. These only return the field name, and
not the table-qualified name.

Make sure the directory you are trying to protect with AuthentiX is not protected by NTFS.
Use Windows NT (2000) Explorer (not IE) to go to the directory/folder you are trying
to protect with AuthentiX. Right click on it to bring up the Properties/Security/Permissions.
Grant Read and Execute rights for everyone.

In the Microsoft Management Console (MMC) IIS settings for your site/directory, check
that Allow Anonymous is ON, Basic Authentication is OFF, NTCR/Integrated/Digest Authentication can be ON or OFF.

Make sure the Flicks installation directory and all its subfolders and files have
Full Control for Everyone. Also make sure
the root directory has Read and Execute permission for IWAM_machinename and
IUSR_machinename.

You can lock down the permissions by experimentation later, but these are the most
common things required to start up.

A.
From version 5.1 and above, successful installation is as easy as it could possibly be,
including automatic installation of the filter, and popping up the AuthentiX
main dialog which now has a confirmation message indicating the
successful installtion of the filter:

If you have any previous versions of the software (AuthentiX or WebQuota)
uninstall it from the control panel (Services - Add/Remove programs).
Your data files (*.adb) will be preserved.

Run setup.exe.

Note - if you have disabled the 16-bit Windows subsystem, InstallShield won't even load, let alone work properly.
You will get no error messages, nothing. Re-enable the 16-bit Windows subsystem. Turn it off after if you need to.
See also here.

For versions prior to this, or if the automated installations runs into problems,
please refer to the following:

Make sure you followed the installation instructions you
saw when you installed the software.
Here they are again for your reference.

Go to the Microsoft Management Console for IIS.
Click on the item with your machine name.
Right click on it and select Properties.
Click on edit and select the ISAPI Filters tab.
Click on add and type in
Membership Protection Software
in the filter name field.
Click the browse button and select the filter
authxflt.dll
in the installation directory
If it does not appear, Explorer/View/Options "Hide System Files" is checked, so you'll have to type in authxflt.dll by hand.
Press OK until you return to the ISAPI filters tab.

The filter should now be installed.
If the filter's priority is unknown (it will be at first),
Apply and OK all changes until you have exited the
Microsoft Management Console.
Then stop IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the Control-Panel/Services and restart.
Return to the ISAPI filters tab again.

Are you sure you are installing the filter at the machine
level (in the MMC tree) and not on a sub-web?
And then checking the same place?
If you see
An attempt was made to load filter 'C:\Program Files\Flicks
Software\AuthentiX\AuthXflt.dll' on a server instance but it requires the
SF_NOTIFY_READ_RAW_DATA filter notification so it must be loaded as a global
filter.
in the Event Log then you are trying to load the filter on the default website, or
a sub-web. You need to load it at the machine level per the instructions above.

In the application event log, when you start IIS,
there should be a message containing
"Successfully Loaded Configuration Data",
and another containing "AuthentiX Started". If not there then the filter
is not installed properly.
Try stopping and restarting IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the control panel and restart.
Stopping IIS 4 from Microsoft Management Console (MMC) has virtually no effect.
Be sure to stop and restart from the CONTROL PANEL.
If that doesn't work try a reboot (this can make the difference!).

Permissions

In order to first make sure that permissions are not an issue in
the correct operation of the software, make sure
IUSR_machineName and IWAM_machineName have full access to the flicks installation
directory and the system32 directory.
If this does not work, grant Full Access to Everyone for the Flicks Installation directory,
and all subdirectories and files.
You may wish to experiment with reducing the amount of access granted to
these directories, in accordance with any security policy. Likely
you will need at least write access to the Flicks installation directory,
so that the ASP based remote Administration can update its configuration files
held there. Also you will definitely need at least read permission on system32!
The software needs Users Group to have at least Read permission on all folders down from the root.

Q.
If I am using an ODBC database (say SQL
Server). Is the remote administration module and properties of the OCX useless to
add and remove users from and ODBC database?

A.
Not completely useless. There is the ability to add/search/remove users etc from an ODBC database,
BUT ONLY if you are using a Standard Select Statement, and ONLY if your database
has no other fields that AuthentiX doesn't know about.
(See aspAdmin/default.asp, click on "Access List", click on "ODBC Users").

For example if your customer record has a zip code field which
is a required field, there is no way AuthentiX can know about this,
and so adding/modifying the record will fail. You will
have to create your own ADO/ASP code, but you can
still use the samples in the aspAdmin/ODBC as a starter sample.

The software will still validate users in your database regardless of their format
so long as they have a field for the username and a field for the password somewhere.

I found the solution for the SQL Server 255 character limit when using
ocxQmail directly from with a SQL stored procedure. Your "Another SQL
Example" sample already has the solution but it does not appear that it is
known that it is there. The solution is to pass the body of the message
into the stored procedure as a text data type instead of declaring a local
varchar data type variable greater than 255 characters.

A.
You might encounter this in trying to set up the software. This is a message from
IIS saying that there is no default file in the directory you are looking at, AND
you do not have directory browsing enabled. While you are setting up new web directories,
it is often easier to enable directory browsing, just in case you mistype the default
file when you are saving for example.

Q.
I've moved on from the Standard and Custom ODBC Select statement and I
am in the process of setting up with the
"Advanced"
ODBC string. Tell me more about this.
A.
While the Standard and Custom options are useful to get AuthentiX
working quickly and easily, the Advanced option is useful for
database experts who want complete flexibility and power.

When you use the "Use string to validate (empty rowset indicates failure)" option
a simple macro substitution is made at run time, replacing values such
as $USERNAME$ with their runtime values..
Then the statement is executed using the ODBC SQLExecDirect call.
You need to make sure the statement you
use should make sense to the ODBC driver and database you are using.
If the call results in an empty rowset access is denied, otherwise
access is granted, and the username and password combination are
stored in the AuthentiX
ODBC username/password cache.

The other two Advanced Options ("Use Standard Select to validate, execute ODBC string on success."
and "Use Custom Select to validate, execute ODBC string on success.")
only calls the Advanced ODBC string if they succeed. This can
be useful if you want to log successful logins for example.
In this case the $VERIFY$ macro subsitution indicates whether
this is an initial login, or a verification against the database,
in accordance with the
operation of the ODBC cache.

CREATE PROCEDURE VerifyUser
@UserName VarChar(50), /* THIS IS THE USERNAME PARAMETER */
@Password VarChar(15), /* THIS IS THE PASSWORD PARAMETER */
@DirName VarChar(50) /* THIS IS THE DIRECTORY NAME PARAMETER */
AS
/* THIS SELECT RETURNS A NON-EMPTY RESULTSET IF */
/* THE USER IS A MEMBER OF A GROUP THAT HAS ACCESS TO THE */
/* REQUESTED DIRECTORY AND IF THE USER HAS A VALID PASSWORD */
SELECT @UserName, @Password, @DirName FROM
WebUsers w, UserRelations u, GroupRelations g, GroupDirs d
WHERE w.UserName=@UserName
AND w.Password = @Password
AND w.UserID = u.UserID
AND u.GroupID = g.GroupID
AND g.DirID = d.DirID
AND d.DirName =@DirName

Also,
"Alexandre Volpim" (volpim@camerasurf.com.br)
shows us how to create a stored procedure with multiple selects.

set nocount on
declare @loginCheck varchar(100)
select @loginCheck=login from clients where login=@login and
password=@password
if (@loginCheck<>'') then
begin
insert into log (login,date) values (@loginCheck,getdate())
end
select * from clientes where login=@loginCheck

The result of this stored-procedure will be the result of the last Select
because all other statements (select and insert) don't return data.
This SP is not usefull, but my ideia is to tranform the IP of the form
xxx.xxx.xxx.xxx to a int before the select statement. The code to transform
the IP didn't return data, but the SP doesn't works.
Actually I call another SP (valIP) in the authentication SP:

Q.
I've tried everything. The Test button works fine, I've set all the optional
switches, its a system DSN, I have permission to access the database from
IIS, I've read and tried everything else in the FAQ, what else can I do to
find out what is going on?
A.

It is often useful to enable ODBC tracing. In the Control Panel, double click
the ODBC icon, and select the Tracing Tab. Select the options you need to enable tracing.

If you are using SQL Server, you can use the Profiler to examine the incoming requests to the database.
Other databases should have a similar diagnostic tool.

As a last resort, there is a debug mode that you can enable as follows:
In

create a value called MARIO, of type DWORD, and set it to be 1.
Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the control panel.
Restart WMS if you are using VideoQuota.
When it fails, check out the application event log.
You should see various extra entries and they should say things like this:
The description for Event ID ( 0 ) in Source ( MARIO Debug1 )
could not be found. It contains the following
insertion string(s): 1 rows, password from
db is: *petepete* password supplied is: *petepete.

Inspect all the values and output generated, they should
give extra clues as to what is going on.

If it says 0 rows, then likely the connection to the db is failing.

For more detailed messages, set MARIO to be 2.
For really detailed messages, set MARIO to be 3.

Note 1: In some circumstances, turning on the Options/Passwords checkboxes can leave
encoding/encryption on, even when the checkboxes are subsequently turned off.
This will have the effect of no usernames/passwords ever being able to log in, even though
the Test button succeeds.
In the AuthentiXConfig registry, using regedt32.exe, area mentioned above, make sure there are no keys containing
"EncryptDLL" - if there are, delete them, and reboot.

Note 2: If you ordered the software "By IP Address" and you change the IP address, ODBC access will stop working.
Running the application will show "Trial Expired".
The application log event will have an entry saying "Trying to ODBC lookup, but trial expired".
See "Delivery Method" on the
product order page,
where it says: "I understand if the IP changes I will have to upgrade."

Copy the entire aspAdmin installation subdirectory from the installation directory
to a script enabled directory under your web root.
Use a browser to go to this directory (via IIS, not via the file system) and
remotely administer via html and asp.

You may wish to rename the directory, so that malicious people will not immediately guess where it is.

Be sure to set up protection for this directory.
Click on the link "Administrator Settings", which will indicate whether
the current directory is protected, and offers a single button to set
up AuthentiX protection for that directory.

There other ways to protect the directory, for
example "By Referrer", which can be used in combination.
In addition
the Operating System allows you to protect with NT protection, and/or
combine any of these methods with SSL.

Apply the level of protection that you feel is appropriate.
Definitely do not announce to the world
the location of this directory and leave it unprotected! (Do I even need to say this?)

For IIS6 and above it should run fine as is. You can run it in its own application space.

For IIS6 and above make sure Active Server Pages (ASP) is enabled:
In IIS Manager, expand the local computer, and then click Web Service Extensions.
In the details pane, click Active Server Pages, and then click Allow.

AuthentiX ISP Only:

Copy the entire aspAdminISP installation subdirectory from the installation directory
to a script enabled directory under your customer's web root.
Use a browser to go to this directory (via IIS, not via the file system) and
remotely administer via html and asp.

You may wish to rename the directory, so that malicious people will not immediately guess where it is.

Be sure to set up protection for this directory.
Click on the link "Administrator Settings", which will indicate whether
the current directory is protected, and offers a single button to set
up AuthentiX protection for that directory.

There other ways to protect the directory, for
example "By Referrer", which can be used in combination.
In addition
the Operating System allows you to protect with NT protection, and/or
combine any of these methods with SSL.

Apply the level of protection that you feel is appropriate.
Definitely do not announce to the world
the location of this directory and leave it unprotected! (Do I even need to say this?)

If you are setting up remote administration for an Administrator by host-header,
go to the incl.asp file in aspAdminISP directory you have just copied and
uncomment the line with
protectedDomain = "hostheader.com"
Change the value to be the appropriate host-header name.
10/6/03: You need to enable the host-header for protection, then restart IIS for the filter to read in
the new host-header information.

If you are setting up remote administration for an Administrator by directory:
First add a new administrator from the main AuthentiX ISP dialog ("Add").
Check the option button for "Directory Based Administrator" and enter appropriate values
in the text-boxes.

Then go to the incl.asp file in aspAdminISP directory you have just copied and uncomment the line with
protectedDomain = "hostheader.com"
change it to:
protectedDomain = "Dir1"
Change the value to be the unique descriptive name (UDN) you entered
in the Add/Edit Administrator dialog
(here it is Dir1, but enter whatever you set the UDN to be).

If you set this administrator's password, be sure to set the
password in the incl.asp line here:
auth.SetVirtualDomainPassword("adminPassword")

For superUser administration (allowing you to create host-header administrators
remotely,
copy the entire aspSuperUser installation subdirectory from the installation directory
to a script enabled directory under your own web root.
Use a browser to go to this directory (via IIS, not via the file system).

Set the password
auth.SetSuperUserPassword("superUserpassword")
in the incl.asp file to match the password you set in the Options/ISP AuthentiX dialog at
the console.

Q.
With Cookie based protection, I've protected a directory
//servername/dirname, however when I go to //servername/dirname
it prompts for a password even though I have got in successfully
to //servername/dirname/ (with the slash included).
A.

In your equivalent of loginNow.asp, set the protectedDirectory
to be
protectedDirectory = "/asp/ACookieLogin/example2/members"
instead of
protectedDirectory = "/asp/ACookieLogin/example2/members/"

Q.
I am using IIS4/5 (and above), and a virtual web site in its own memory space.
I am getting the error reason=denied_cookie_timed_out, even if I
am using Basic Authentication!
A.

Running the web site in its own virtual memory space is causing
this problem. Switch this off.

Separate memory space for web-applications
should be restricted to development phase only.

Q.
During installation, I get an error regarding the Virtual Device Driver.
It gives an option to Quit, or Ignore.
A.

Ignoring this error lets the install continue, without problems.
I believe it is related to another vendor's previous Installshield install,
which did not clean up properly after itself.
Microsoft also has exactly this:
http://support.microsoft.com/support/kb/articles/Q254/9/14.ASP

Q.
I am using AuthentiX/WebQuota ISP, however I cannot get into
any of my websites when AuthentiX is installed.
I turned on the Option to "Show reason in Access Denied message",
and I get
DENIED_INVALID_3b

A.
This message means "cannot find serverhome".
When you run the AuthentiX windows GUI, make sure the full list of your machines IP Addresses come up.
Make sure you are using static IP addresses, not DHCP.
With IIS4/5 (and above) make sure that the IISAdmin is running.
Make sure the filter is loaded at the machine level and not on a sub-web.

Also, this is an interesting MSSQL statement which may be of assistance:

SELECT * FROM PHONE WHERE {fn UCASE(LAST)} LIKE 'URWILER%'

Q.
I want to change the dialog box the user sees when logging in using Basic Authentication.
Where in AuthentiX do I set this up?

A.

The login dialog box presented to the user is part of the browser. The only way to
change it is to modify the browser source code. AuthentiX cannot change it at all.
You can however modify the realm and the message the user sees when the login fails.

If you need to control exactly what the user sees when logging in, then change
to
protection by cookie, and create an html form that suits.

Q.
I am concerned about encryption/encoding. Does AuthentiX encrypt passwords with
Basic Authentication? How about with cookie-based AuthentiX authentication?

A.

Basic Authentication uses Base64 encoding to encode the username
and password between the browser and the server.
Adequate for most purposes, Base64 encoding can be enhanced to become very secure if you use
it in combination with SSL.

If you are concerned about encoding/encrypting the passwords in
the internal or ODBC database, then you can use
the
Options/Password dialog
to set an encoder/encrypter dll.
The software comes with Base64 encoding dll, or you can build your own.

With cookies, there are now two AuthentiX flavors, one using
http://www.flicks.com/authentix/CookieLoginValue.htm
which encodes the cookies (proprietary encoding loosely built on base64) and one using
http://www.flicks.com/authentix/cookieSWValue.htm
which uses MD5 hashing so the password can in theory never be cracked.
Note that using a form to login (as is done with cookies) means that the
username and password will be passed to the server once only in the form POST.
Although this is in clear text, the chances of interception are very small.
However, if this is still a concern, put just the login page and
asp script under SSL, thus securly protecting the clear text posted data,
then redirect to non-ssl pages. Browsers should
pass a cookie from SSL pages to non-SSL on the same site (note that
the reverse is not always true).

With any of these methods using SSL (https) will add a level of encryption which is virtually unbreakable.

Q.
I'm using cookie-based login. A user bookmarks a page, then the following week she
returns to it and is sent to the login page. Now I want to
redirect her to her original bookmarked page.

A.
When they try to go to the bookmarked page and the login page comes up,
the URL should look something like this:
https://www.flicks.com/?reason=denied_cookie_timed_out&script_name=/secure/scripts/acookielogin/members/authentix.GIF
Grab the script_name out of the QueryString, pass it on to loginnow.asp,
and redirect to the script_name in loginnow.asp.

If there are parameters (eg protectedfile.htm?x=1&t=2)
then these will be passed to the login page too (at least with 5.3 and above).

A.
In one of the directories you are protecting with Basic Authentication,
you have specified to get the
access denied message from a text file.
This file either does not exist, or cannot be opened because of its NTFS permissions.

Make sure you specify a text file that exists and that IIS can access.

A.
If the protected directory is in a different ASP "application"
than the non-protected directory, then ASP session variables will
be lost. If you want to keep the session
variables between the non-protected and protected areas, then make
sure they are both in the same ASP "application". Consult
your Microsoft documentation for more details.

Authentix Wrap
The description for Event ID ( 0 ) in Source ( Authentix:Wrap ) could
not be found. It contains the following insertion string(s):
Successfully Loaded Configuration Data.

This means that AuthentiX has Successfully Loaded Configuration Data.

AuthentiX
The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be
found. It contains the following insertion string(s):
AuthentiX Started.

This means that AuthentiX has Started.

AuthentiX
The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be
found. It contains the following insertion string(s):
AuthentiX Finished.

This means that AuthentiX has Finished.

By the way, if you need to telephone tech-support with an unusual Event Log message,
you don't need to read out "The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be
found. It contains the following insertion string(s):".
Just the information after the colon will suffice.

I recently purchased and installed a copy of AuthentIX for our
departmental Win2K/IIS server. The installation went fine, but
I'm having trouble making the authentication via the NT database work
at all. After I create the "template" file and place it in the
appropriate web source directory, I am unable to login via the
appropriate NT username and password. I've tried using the
"Test" button on the NT tab, and even if I test using my
Administrator account and password, the program replies "Unable
to login as Administrator" (or something similar).

A.

Open up interactive logins for *everyone* at the domain console.

Allow interactive logins at the domain console, since its physically
located in a secure place. It's *not* the default setup for Windows
2000 though, and it's not an easy setting to find buried in the domain
security policy.

If that doesn't solve it, try turning on Security Auditing on the template file,
and see which account is trying to access it. I'm pretty sure this is a setup issue,
since it normally works fine.

Q.
I have two websites that have
differently named domains: www.economics101.com and www.economicsToday.com.
How do I get a single logon, that permits the browser to go to both domains,
but
doesn't popup a second login dialog
when I go to the second domain?

A.
One way to do this is to protect by referrer, with failover.
See the dialog here:
http://www.flicks.com/authentix/discover/access/byReferrer.htm
On each domain, protect by referrer in the usual way, allowing referrals from both domains. Check
the checkbox saying "If locked out by referrer, authenticate by database, and if not
locked out, don't authenticate." and set up the database protections as normal.

This will allow links from one domain to the other, while checking permissions on both.

This will work for two or more domains.

An alternative method (useful if you have different groups with overlapping sets of users permitted to the
different domains' protected areas) is the following:

Set the protect by referrer to protect anyone that is referred from the
-existing- site, then any links on the other should link with the
following:
http://username:password@www.domain.com/members
- but see here

this last is of type REG_MULTI_SZ and contains the list
of IP Addresses configured for that network card on the machine.

Using regedt32.exe, if those registry areas do not exist,
contain no IP addresses, or do not have correct read
permissions for IIS, then the IP
addresses will not appear in AuthentiX ISP.

For security reasons, AuthentiX ISP will only allow
requests on IP addresses that it knows about.

As a workaround, you can manually create the
entries AuthentiX is expecting to see.

Also, this from Bart Verbeek:

If you change the ip addresses in the
registry key described above Authentix does not
see them. (editing this key can be usefull if
you want to assign multiple ip addresses to a single
network controller)

Workaround:
After changing the ip addresses in the registry key and
rebooting the machine, open the network properties --> TCP/IP --> Button
Advanced...
delete one of the new ip addresses, and close all network property sheets.
directly after that reopen the network properties --> TCP/IP /
Button Advanced... and add the ip address which you deleted a few
seconds ago.
close all network property sheets. open the Authentix Admin Program,
and TADAAH there are your lost ip addresses :)

Q.
I am using the
Extensibility SDK
with a COM object written in Perl for authentication.
However I am getting
Could not AfxOleInit (2)
and
RPC_E_CHANGED_MODE
in the event log, and I cannot get access with a valid username password.

A.
The Win32 implementation of Perl is initialized
to COINIT_MULTITHREADED by default.
However for robustness and security, the
Extensibility SDK calls the COM object on a thread
that is COINIT_APARTMENTTHREADED.

If you are using Perl for other applications on the
same machine, then they will initialize Perl as multithread
and the above conflict will occur.

Set Perl to initialize as COINIT_APARTMENTTHREADED to solve this problem.

Note:
Perl starts out with a dispatch id of 0, which AuthentiX won't accept.
Make a dummy function and the second function will be number 1 - use that one.
You can use OleViewer to find the dispatch id of functions you create.

Another thing to try:
Set
HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfig / omitoleinit
to be 1 and reboot.
This skips the OleInit call before calling the COM component.

Q.
I would like to use AuthentiX in combination with LDAP,
How can I do this?

A.
While there is no built-in support for LDAP at the present time, (in part
because requirements seem to vary so widely) , special thanks go out to Jennifer
Trotts for this LDAP sample.
Flicks Software presents this as is, with no warranty

Using the
Extensibility SDK
helped Jennifer set this up , and can help you set this up for your particular requirements.

Q.
The adb file has been trashed! What happened and how do I fix it???

A.
Likely another application or ASP file has opened the file via the
OCX and then died, locking out the file.
Or perhaps it has been opened by another application directly for
writing, thereby locking everyone else out.

To avoid a reboot when restoring your backup copy of the adb file:

Stop IISAdmin (not just IIS), the Windows GUI, and
any other software using the product (including the event viewer if you have it open).

A.
This means that several updates of the internal database occured simultaneously
and the internal locking mechanism was overloaded and could not complete a task.
Probably a new user failed to be added.
If this occurs frequently, then you need to move to using
a commercial database such as SQL server. The internal database is intended to
help beginners get started easily, and is not supported for 10's of thousands of users,
or exceptionally heavy load.

It seems the IE browser likes to cache the content-type for documents such that
in a scenario where you may request a file from a protected directory, such
as myFile.exe, if you are denied for whatever reason (resulting in HTML
'denied' response), then a subsequent successful authenticated request for
the same file from the same session is treated as an HTML response and
results in the binary streaming into the page as opposed to eliciting the
'Open/Save' dialog.
This is a bug in the browser and should be reported.

Q.
I want the option of
using my existing NT or Active Directory Accounts
as well.

A.

Sure you can do this. Use the By NT tab dialog.
You can do this by creating a "template" file, containing nothing (important).
The permissions you set on the file (eg Windows NT "Internet Group") will determine
who can access the corresponding folder.
See also here.

If you are having problems authenticating against a text file, check the Application
Event Log to see if there are access errors. If so:

The ROOT of the drive that will have the passwordfile.txt files has to
have advanced permissions set for the Everyone group.
Right click on the drive, security, ADVANCED, add:
Add the Everyone group with the following advanced permissions:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

Q.
I have multiple protected directories and each are subdirectories of each other, ie
/paid/, /paid/b/, /paid/c/, /paid/c/d/, etc.
They are all separately protected by the same group.
When a browser goes straight first to /paid/c/ he is prompted once.
Then when going to /paid/b/ he is prompted again for the same username/password!
I want him prompted only once!

A.
Make sure that all of the protected directories have the exact same Realm.
The default Realm is always the same, so it will work as you want unless you have
changed the realms to be different on each directory by hand.

Q.
I have a "webfarm", of 15 web server machines.
I want to have a single location in which to manage my users and groups.
How can I protect directories
on each machine from a single location?
A.
With ODBC, you can manage access to multiple webservers in a
web-farm from a single database.
Set up each AuthentiX directory you want to protect on
each webserver, protect by ODBC and set the DSN to the single remote ODBC server.
You can use the "Standard Select", "Custom Select" or "Advanced ODBC" to
configure
your ODBC SELECT statements.

When you update the directory protections (adding a new directory), then
make the changes in both .adb files on both machines. If you make a lot of
complex changes, then you can copy the adb file from one machine to another,
as here.

Q.
I am using the remote admin tool with an ODBC database,
however I am getting
31, ODBC error with statement, error number is: 3704
The operation requested by the application is not
allowed if the object is closed.
A.
This is likely a permissions issue accessing the database.
You need to grant access to the database to the
IUSR_MachineName or IWAM_machinename accounts,
or modify the login parameters in
the DSN string.

Q.
I'm getting error 1450 in the event log.
A.
This means that insufficient resources exist to complete a request.
Some versions of NT only allow a program to access a registry key up
to 64k times, after which all accesses to the key fail, producing unpredictable results.
Microsoft recognises this problem, and recommends rebooting.

Prior to Version 5.1f1, the software checked the registry every minute.
For Versions 5.1f1 and above, the software checks registry keys only once.
This may mean rebooting when some program options are changed (adding users, protecting
directories etc will not be affected - no reboot is required).

A.
This version had a bad build of the ocx component. This version was only available for two weeks in February of 2001.
We gave free upgrades for 18 months, however this free offer has now expired.
Please upgrade here.

Q.
I've got thousands of files, each of which I want to have different permissions.
Customers can buy access to any number of these individual files, and this information
is stored in an ODBC database. Do I have to individually protect each file with
a different SELECT statement, or
is there an alternative.

A.
Each file or directory that has different access requirements will need its own
protection entry. For lots of files, this can be problematic, impracticable, or impossible.

Q.
Is there a way to check for the script_name, the file requested, in the
custom select statement? I can't seem to get it to work?

A.
No there is not. There is the risk that you will spend time doing this only
to find it does not work properly: the software caches username/passwords on
a per-protected directory basis. So if you try and differentiate
access on sub-files or sub-directories, once they are in, they are in for them all.
Probably not what you want.

Q.
I cannot access any WMS files!
I am getting an NSUnicast Error in the application event log,
with the message "The Windows Media Unicast Service Plugins encountered a catastrophic failure."
in plugin:
"VQTrack
ErrorCode=0x80040154."
A.

Likely you are missing a file that should previously have been on your system:
MSVCP60.DLL (in the system32 directory).

Q.
I want to protect both WMS served video, and IIS served webpages with Basic Authentication, but I
only want the user prompted once.
A.

Since IIS and WMS use a different protocol, and different browser/server
player/server combinations, the first time they access
web pages they will be prompted for password, and
the first time they access video, they will be prompted.

You could try VideoQuota protecting by
referrer, and only allow referrers
from your own website, and see if that works for
you. That won't prompt for videos, but still restrict their access.

The latest version of VideoQuota (5/5/08) does allow for single sign-on! Contact us for details...

I have got the problem solved perfectly on my local server (!!) by following
your instructions:

- Adding the AUTHXOCXLib COM object to the project.

Here's how Microsoft suggests:
In Solution Explorer, right-click References, and then click Add Reference.
Click the COM tab, and then click Browse.
Locate Project1.dll, and then click Open.
On the Add Reference window, click OK.
Instead of locating "Project1.dll" locate
"AuthCOM ActiveX Control module"
and NOT the
"AXSupport ActiveX Control module"

When using the AuthentiX "Impersonate User" functionality:
In the .NET application file web.config,
you MUST put in the tag
&ltidentity impersonate="true"&gt
under the &ltsystem.web&gt
tag,
otherwise .NET impersonates the user ASPNET.
You mustn't put in the user name/password with the identity tag either.
Then everything works as expected.

Note the use of &lt%@ Page aspcompat=true %> .
Without this you will get the error: "The component 'AUTHXOCX.AuthXOCXCtrl.1' cannot be created. Apartment
threaded components can only be created on pages with an &lt%@ Page
aspcompat=true %> page directive."

the directory is added and shows up immediately
in the GUI and the aspadmin web tool.
But the ODBC properties and AuthentixDBenabled do not get
recorded. note the use of the flush method.
then I tried the following change

I want to replace the last argument with a zero so the user doesn't
expire, but VS.NET insists that this last argument has to be of type
System.DateTime which doesn't allow null values, and won't convert from an
integer.

I actually managed to work out how to make a zero expiry -
I used DateTime.FromOADate(0) and it seems to work just fine.
The only other thing I noticed using .NET is
that the 'optional' arguments for
the method (Description, Expiry) aren't optional - you have to
enter all the parameters, but I think that's fine for what I need so far.

The COM sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\Ole\EventLog.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.